Microsoft Azure Fundamentals (AZ-900)

Practice Exam

About Microsoft Azure Fundamentals (AZ-900) Practice Exam

This exam measures your ability to accomplish the technical tasks listed below.
The percentages indicate the relative weight of each major topic area on the
exam. The higher the percentage, the more questions you are likely to see on
that content area on the exam. Some of the details of the exam are illustrated
below -

• Languages: English
• Audiences: IT professionals
• Technology: Microsoft Azure
• Price: $99.00 USD*

Note: The content of this exam was updated on May 28, 2020.

Exam Structure
1. Describe Cloud Concepts (15-20%)
Describe the benefits and considerations of using cloud services

• Describe terms such as High Availability, Scalability, Elasticity, Agility,

Fault Tolerance, and
Disaster Recovery

• Describe the principles of economies of scale

• Describe the differences between Capital Expenditure (CapEx) and
Operational
Expenditure (OpEx)

• Describe the consumption-based model

Describe the differences between Infrastructure-as-a-Service (IaaS), Platform-
as-a-Service (PaaS) and Software-as-a-Service (SaaS)

• Describe Infrastructure-as-a-Service (IaaS),

• Describe Platform-as-a-Service (PaaS)
• Describe Software-as-a-Service (SaaS)
• Compare and contrast the three different service types
Describe the differences between Public, Private and Hybrid cloud models

• Describe Public cloud

• Describe Private cloud
• Describe Hybrid cloud
• Compare and contrast the three different cloud models
2. Describe Core Azure Services (30-35%)
Describe the core Azure architectural components

• Describe Regions
• Describe Availability Zones
• Describe Resource Groups
• Describe Azure Resource Manager
• Describe the benefits and usage of core Azure architectural components
Describe some of the core products available in Azure

• Describe products available for Compute such as Virtual Machines, Virtual

Machine Scale
Sets, App Services, Azure Container Instances (ACI) and Azure Kubernetes
Service (AKS)

• Describe products available for Networking such as Virtual Network, Load

Balancer, VPN Gateway, Application Gateway and Content Delivery
Network
• Describe products available for Storage such as Blob Storage, Disk
Storage, File Storage, and Archive Storage
• Describe products available for Databases such as Cosmos DB, Azure
SQL Database, Azure Database for MySQL, Azure Database for
PostgreSQL, Azure Database Migration service
• Describe the Azure Marketplace and its usage scenarios
Describe some of the solutions available on Azure

• Describe Internet of Things (IoT) and products that are available for IoT on
Azure such as IoT Hub and IoT Central
• Describe Big Data and Analytics and products that are available for Big
Data and Analytics such as Azure Synapse Analytics, HDInsight, and Azure
Databricks
• Describe Artificial Intelligence (AI) and products that are available for AI
such as Azure Machine Learning Service and Studio
 • Describe Serverless computing and Azure products that are available for
serverless computing such as Azure Functions, Logic Apps, and Event Grid
• Describe DevOps solutions available on Azure such as Azure DevOps and
Azure DevTest Labs
• Describe the benefits and outcomes of using Azure solutions
Describe Azure management tools

• Describe Azure tools such as Azure Portal, Azure PowerShell, Azure CLI
and Cloud Shell
• Describe Azure Advisor

3. Describe Security, Privacy, Compliance, and Trust (25-30%)

Describe securing network connectivity in Azure

• Describe Network Security Groups (NSG)

• Describe Application Security Groups (ASG)
• Describe User Defined Rules (UDR)
• Describe Azure Firewall
• Describe Azure DDoS Protection
• Choose an appropriate Azure security solution
Describe core Azure Identity services

• Describe the difference between authentication and authorization

• Describe Azure Active Directory
• Describe Azure Multi-Factor Authentication
Describe security tools and features of Azure

• Describe Azure Security Center

• Describe Azure Security Center usage scenarios
• Describe Key Vault
• Describe Azure Information Protection (AIP)
• Describe Azure Advanced Threat Protection (ATP)
Describe Azure governance methodologies

• Describe policies and initiatives with Azure Policy

• Describe Role-Based Access Control (RBAC)
• Describe Locks
 • Describe Azure Advisor security assistance
• Describe Azure Blueprints
Describe monitoring and reporting options in Azure

• Describe Azure Monitor

• Describe Azure Service Health
• Describe the use cases and benefits of Azure Monitor and Azure Service
Health
Describe privacy, compliance and data protection standards in Azure

• Describe industry compliance terms such as GDPR, ISO and NIST

• Describe the Microsoft Privacy Statement
• Describe the Trust center
• Describe the Service Trust Portal
• Describe Compliance Manager
• Determine if Azure is compliant for a business need
• Describe Azure Government cloud services
• Describe Azure China cloud services

4. Describe Azure Pricing, Service Level Agreements, and Lifecycles (20-

25%)
Describe Azure subscriptions

• Describe an Azure Subscription

• Describe the uses and options with Azure subscriptions such access
control and offer types
• Describe subscription management using Management groups
Describe the planning and management of costs

• Describe options for purchasing Azure products and services

• Describe options around Azure Free account
• Describe the factors affecting costs such as resource types, services,
locations, ingress and egress traffic
• Describe Zones for billing purposes
• Describe the Pricing calculator
• Describe the Total Cost of Ownership (TCO) calculator
 • Describe best practices for minimizing Azure costs such as performing
cost analysis, creating spending limits and quotas, using tags to identify cost
owners, using Azure reservations and using Azure Advisor
recommendations
• Describe Azure Cost Management
Describe Azure Service Level Agreements (SLAs)

• Describe a Service Level Agreement (SLA)

• Describe Composite SLAs
• Describe how to determine an appropriate SLA for an application
Describe service lifecycle in Azure

• Describe Public and Private Preview features

• Describe the term General Availability (GA)
• Describe how to monitor feature updates and product changes

Who should take this exam?

This exam is designed for candidates looking to demonstrate foundational level
knowledge of cloud services and how those services are provided with Microsoft
Azure. The exam is intended for candidates with non-technical backgrounds,
such as those involved in selling or purchasing cloud based solutions and
services or who have some involvement with cloud based solutions and services,
as well as those with a technical background who have a need to validate their
foundational level knowledge around cloud services. Technical IT experience is
not required however some general IT knowledge or experience would be
beneficial.
This exam can be taken as an optional first step in learning about cloud services
and how those concepts are exemplified by Microsoft Azure. It can be taken as a
precursor to Microsoft Azure or Microsoft cloud services exams. While it would
be a beneficial first step, validating foundational level knowledge, taking this
exam is not a pre-requisite before taking any other Azure-based certifications.

What do we offer?

• Full-Length Mock Test with unique questions in each test set

• Practice objective questions with section-wise scores
• In-depth and exhaustive explanation for every question
• Reliable exam reports evaluating strengths and weaknesses
• Latest Questions with an updated version
• Tips & Tricks to crack the test
 • Unlimited access

What are our Practice Exams?

• Practice exams have been designed by professionals and domain experts

that simulate real time exam scenario.
• Practice exam questions have been created on the basis of content
outlined in the official documentation.
• Each set in the practice exam contains unique questions built with the
intent to provide real-time experience to the candidates as well as gain more
confidence during exam preparation.
• Practice exams help to self-evaluate against the exam content and work
towards building strength to clear the exam.
• You can also create your own practice exam based on your choice and
preference

100% Assured Test Pass Guarantee

We have built the TestPrepTraining Practice exams with 100% Unconditional and
assured Test Pass Guarantee!
If you are not able to clear the exam, you can ask for a 100% refund.

Microsoft Azure: Services

You must be familiar with the various cloud services that you can have access to
using Microsoft Azure. However, the main focus of this Azure cheat sheet is to get
in-depth knowledge about these services. Below, you can see the short description
of services,

AI and Machine Learning

Service Description
Azure Bot Service It refers to an intelligent and server-less bot service that scales on-
demand.
Azure Data-bricks It is an analytics platform build on Apache Spark with higher
speed and simplicity alongside collaborative features.
Azure Cognitive This is a cloud search service based on AI that is, used for
Search developing mobile and web applications.
Bing Autosuggest It equips an app with proactive autosuggest options used for
searching.
Bing Custom Search It is basically a simple, ad-free and commercial search tool.
Bing Entity Search It is an ideal tool for having better search experience by
identification and improvement of entity information from the
 internet.

Bing Image Search Bing Image search looks for the images and then, obtain in-depth
results.
Bing News Search This will first, look for news and then, give detailed results.
Bing Spell Check It is for identifying and resolving the spelling mistakes in an app.
Bing Video Search This first search for the videos and get a wide variety of results.
Bing Visual Search For obtaining credible insights for creating attractive image
applications on a particular device, Bing visual search is used.
Bing Web Search This helps in obtaining top search details from massive varieties of
web documents.
Cognitive Services It includes smart API capabilities for getting power of contextual
interactions.
Computer Vision It helps in refining the actionable visions from the images.
Content Moderator This is a process of automated moderation for images, texts and
videos.
Custom Vision In this there is simple customization of advanced computer vision
models for the particular use case.
Data Science Virtual This can be referred as a feature-rich and pre-defined AI
Machines development environment.
Face In includes process like recognition, identification, analysis,
organization and tagging faces in images.
Azure Machine It is an end-to-end platform with having experimentation and
Learning model management capabilities with higher scalability to hold the
power of AI.
Machine Learning It helps in easier development, deployment and management of
Studio predictive analytics solutions.
Microsoft Genomics This is for obtaining credible insights into power genome
sequencing and research.
Language It includes modeling apps for understanding the commands from
Understanding users.
Form Recognizer This is an AI-based document extraction service.
Ink Recognizer This is an AI-based service used for identifying digital ink content
such as shapes or handwriting.
Personalizer This refers to an AI service for delivering the personalized user
experience.
QnA Maker It is for filtering the information in the form of interactive and
easy-to-understand answers.
Speaker Recognition This helps in speech identification and verification of individual
speakers.
Speech Translation This helps in easy integration of real-time speech translation in an
app.
Speech to Text This helps in converting spoken audio into text.
Text Analytics It is used for evaluation of sentiment and topics for understanding
user requirements.
Text to Speech In this there is conversion of text to speech.
Translator Text It is for easy machine translation using REST API call.
Video Indexer This is for exploring multiple video insights.
Kinect DK It helps in creating computer vision and speech models by
leveraging a developer kit with advanced AI sensors.
Anomaly Detector It is responsible for addition of anomaly detection features in apps.
Azure Open Datasets This includes cloud platform for hosting and sharing curated open
datasets for faster machine learning model development.
Immersive Reader This includes interactive feature for reading and understanding the
text.

Analytics

Service Description
Azure Data bricks This is an Apache Spark-based analytics platform with features for
better speed, ease and collaboration.
Azure Stream In this, there is real-time processing of data stream from millions of
Analytics the IOT devices.
Azure Synapse This refers to a powerful analytics service with superior time to
Analytics insight.
HDInsight It helps in provisioning cloud Hadoop, Storm, R Server, HBase and
Spark clusters.
Data Factory This helps in easier enterprise-scale hybrid data integration.
Data Lake This refers to a distributed analytics service.
Analytics
Event Hubs It helps in receiving telemetry from multiple devices.
Power BI It is for embedding highly interactive and appealing data
Embedded visualizations in an application.
Azure Analysis It includes enterprise-grade analytics engine provided as a service
Services
R Server for This includes services for machine learning, predictive analytics
HDInsight including statistical modeling for big data.
Data Catalog This helps in extracting additional value from the enterprise data
assets.
Azure Data Lake Azure Blob Storage-based helps in securing data lake service with
Storage higher scalability.
Azure Data This includes services like Data exploration with higher speed and
Explorer scalability.
Azure Data Share It has services for sharing big data with external enterprises well
known for simplicity and security.

Blockchain

Service Description

Azure Blockchain It includes services for building, governing and expanding

Service consortium blockchain networks.
Azure Blockchain This is for easily prototyping blockchain apps in the cloud.
Workbench

Logic Apps In this, there is access automation and the use of data across
clouds without writing the code.

Azure Cosmos DB It refers to a multi-model and globally distributed database for

any scale.
Azure Blockchain This helps in easily defining, creating, and managing ledger-
Tokens based tokens.

Compute

Service Description
Virtual Machines There is fast provisioning of Windows and Linux virtual
machines.
Azure Kubernetes Service This service is for simplifying the deployment,
(AKS) management, and operations of Kubernetes
Service Fabric This helps in developing microservices and container
orchestration on Linux or Windows
App Service There is fast creation of powerful cloud apps for the web
and mobile using this service.
Container Instances It runs the containers on Azure easily without managing the
server.
Batch It is responsible for cloud scale job scheduling and compute
management.
SQL Server on Virtual It helps in hosting enterprise SQL Server apps on the cloud.
Machines
Cloud Services This helps in creating highly scalable cloud applications and
APIs.
SAP HANA on Azure It helps in running big size SAP HANA workloads of any
Large Instances hyper-scale cloud provider.
Azure Functions It helps in processing event using serverless code.
Virtual Machine Scale Sets This service scale and manage thousands of Windows and
Linux virtual machines.
Web Apps It develops and deploys essential web apps quickly at scale.
Mobile Apps This helps in creating and hosting backend in any mobile
app
API Apps It helps in easily developing and utilizing Cloud APIs.
Linux Virtual Machines It helps in provisioning virtual machines for Red Hat,
Ubuntu and many more.
Windows Virtual Desktop This provides the best virtual desktop experience on Azure.
Azure CycleCloud It helps in creating, managing, operating, and optimizing
HPC and big compute clusters of any scale.
Azure VMware Solution by This will help you run your VMware workloads natively on
CloudSimple Azure.
Azure Dedicated Host This refers to a dedicated physical server for hosting
Azure’s VM for Linux and Windows.
Azure Spring Cloud This is perfectly managed Spring Cloud service that is
created and controlled using Pivotal.

Containers

Service Description
Azure Kubernetes This includes the process of simplifying the deployment,
Service (AKS) management, and operations of Kubernetes.
Service Fabric There is development of Micro-service and arrange container on
Linux or Windows.
Container Instances This helps in running containers on Azure easily without
managing the servers.
Azure Functions This helps in processing the event using server-less code.
Container Registry This is for storing and managing the container images on all
kinds of Azure deployments.
Web Apps This helps in creating and deploying essential web apps quickly
at scale.
Mobile Apps This helps in creating and hosting the backend for mobile apps.
API Apps It helps in easily developing and utilizing cloud APIs.
Web App for It helps in building and running containerized web apps that
Containers scale according to business
Azure Red Hat It helps in managing complete OpenShift service, that operates
OpenShift in alliance with Red Hat.

Databases

Service Description
Azure API for FHIR This service quickly creates and deploys the FHIR service for
interoperability and health data solutions.
SQL Server on Virtual It is for hosting the enterprise SQL Server apps in the cloud.
Machines
Azure SQL Database It is referred to as an intelligent and managed SQL on the
cloud.
Azure Cosmos DB It is a globally distributed multi-model database for all scales.
Azure Cache for Redis It is power applications with low-latency and high-throughput
data access.
Table Storage In this, there is NoSQL key-value store using semi-structured
datasets.
Azure Database for This contains managed PostgreSQL database service for app
PostgreSQL developers.
Azure Database for It contains managed MariaDB database service for app
MariaDB developers.
Azure Database for It contains managed MySQL database service for app
MySQL developers.
Azure Database In this there is migration of on-premises database to the cloud.
Migration Service

Azure SQL Database This contains a small footprint and optimized data engine, with
Edge in-built AI.

Developer Tools

Service Description
Visual Studio This refers to a flexible and powerful environment for creating
applications in the cloud.
Visual Studio Code This is a powerful code editor for cloud development.
SDKs This helps you in getting the command-line tools and SDKs
required.
Azure DevOps It will provide services for teams to track work, share code, and
ship software.
Azure Pipelines These are responsible for continuously building, testing and
deployment to any cloud and platform.
Azure Lab Services It develops the lab for classrooms, testing, trials and other
potential applications.
Azure DevTest Labs This helps in quickly creating environments using reusable
artifacts and templates.
Developer tool This provides access to use development tools like Maven,
integrations Eclipse and IntelliJ within Azure.
App Configuration This helps in fast and scalable parameter storage for app
configuration.
Visual Studio Online It includes the cloud-powered development environments that can
be used from anywhere.

DevOps

Service Description
Azure DevOps This provides services for sharing code, tracking work and
shipping software.
Azure Pipelines It helps in continuous development, testing and deployment of
any cloud and platform.
Azure Boards This helps in planning, tracking and discussing work with your
teams.
Azure Repos This gives you access to endless cloud-hosted private Git repos
for your project.
Azure Artifacts It helps in creating, hosting and sharing packages across the team.
Azure Test Plans In this you can use manual and analytic testing toolkit ship and
test with confidence.
Azure DevTest Labs It helps in the faster creation of environments with reusable
artifacts and templates.
DevOps tool It provides facility to use your favourite DevOps tools with Azure.
integrations
Azure Monitor This provides a full inspection of your applications, network, and
infrastructure.
Hybrid

Service Description
Azure SQL Database It is a manageable and intelligent SQL database service on the
cloud.
Azure Active Directory In this, first there is synchronization of on-premise directories
and then it enables single sign-on.
Azure DevOps It provides services for teams for sharing code, tracking work
and shipping software.
Azure ExpressRoute It provides dedicated private network fiber connections to
Azure.
Security Center It provides integrated security management with advanced
threat protection for hybrid cloud workloads.
Azure Database for This provides managed PostgreSQL database service for app
PostgreSQL developer.
Azure Stack This helps in building and running hybrid applications across
cloud boundaries.
Azure Sentinel This provides intelligent security analytics and cloud-native
SIEM for protecting your enterprise
Azure Arc This brings Azure services and management to any
infrastructures.
Azure IoT Edge This will extended cloud analytics and intelligence to edge
devices.

Identity

Service Description
Azure Active Directory It helps in synchronizing on-premise directories and
enabling single sign-on.
Azure Information It helps you in protecting your sensitive information.
Protection
Azure Active Directory Using this can help you in joining Azure virtual machines
Domain Services to a domain without domain controllers.
Azure Active Directory It is for consumer’s identity and access management in the
B2C cloud.

Integration

Service Description
Azure API for This helps in easily creating and deploying FHIR service for
FHIR interoperability and health data solutions.
Event Grid It will help you in getting reliable event delivery at huge scale.
Logic Apps This helps in automating access and utilization of data on multiple
clouds without writing code.
API Management It helps in publishing APIs to partners, employees and developers
securely at scale.
Service Bus This helps you in connecting public and private cloud environments
Internet of Things

Service Description
Azure IoT Hub This hub connects monitors and manages billions of IoT assets.
Azure IoT Central This helps in increasing the speed of developing IoT solutions.
Azure IoT solutions It creates fully customizable solutions using templates for general
accelerators IoT scenarios.
Azure Sphere It helps in securely connecting MCU-powered devices to the
cloud.
Azure Time Series In this, there is reviewing and analyzing the time-series data from
Insights IoT devices.
Azure Maps It includes simple and safe location APIs that provides geospatial
context to specific data.
Azure Functions It processes events with serverless code.
Event Grid It provides secure event delivery at huge scale.
Windows 10 IoT Core This provides long-term OS support and services for managing
Services device health and updates.
Azure Machine This helps in bringing AI to everyone with scalable and trusted
Learning platform including experimentation and model management.
Machine Learning In this, there is creation, deployment, and management of
Studio predictive analytics solutions.
Azure Stream There is real-time processing of data stream from millions of IoT
Analytics devices.
Logic Apps It helps in automating the data access and use data across clouds
without writing code.
Notification Hubs This helps you to send push notifications to any platform from
any back end.
Azure Cosmos DB This is a multi-model and globally distributed database for any
scale.
API Management This will help in publishing APIs securely to partners, employees
and developers.
Azure Digital Twins This service is for developing next-generation IoT spatial
intelligence solutions.
Kinect DK This service is for building computer vision and speech models
using developer kit with high-level AI sensors.
Azure SQL Database It includes an edge-optimized data engine with in-built AI
Edge capabilities.
Azure IoT Edge This will extend cloud intelligence and analytics to edge devices.

Management and Governance

Service Description
Azure Backup This helps in simplifying data protection and secures it from
ransomware.
Azure Site Recovery It includes in-built disaster recovery service for running the
business.
Azure Advisor This service acts as a personalized engine for Azure best
 practices.
Scheduler It will help run your jobs using simple and complex recurring
schedules.
Automation This helps in simplifying cloud management using process
automation.
Traffic Manager This helps in routing incoming traffic for higher availability
and performance.
Azure Monitor This keeps a full observation of all infrastructure, networks,
and applications.
Network Watcher In this there is a network performance monitoring and
diagnostics solution.
Azure Service Health This will provide you personalized support and guidance
when there is an issue in Azure services.
Microsoft Azure portal This can build, manage and monitor all Azure products in a
single console.
Azure Resource This will help you in managing app resources.
Manager
Cloud Shell It is a browser-based shell for streamlining Azure
administration.
Azure mobile app This will help you connect to Azure resources.
Azure Policy There is implementation of corporate governance and
standards for Azure resources at scale
Cost Management + It will help you optimize the cloud expenditures while
Billing maximizing cloud potential.
Azure Managed This helps you managing the cloud products and services.
Applications
Azure Migrate Using this you can easily discover, assess, right-size and
migrate on-premises VMs to Azure.
Azure Blueprints This supports the faster and repeatable development of
governed environments.
Azure Lighthouse This empowers the service providers to manage customers
with precision and at scale.
Azure Resource In this there is delivery of infrastructure as code for all the
Manager templates Azure resources using Resource Manager.

Media

Service Description
Content Delivery This service provides a secure and reliable delivery of content
Network globally.
Media Services This service encode, store and stream video and audio at any
scale.
Encoding It includes studio-grade encoding tailored for the cloud.
Live and On-Demand This service helps in delivering content to virtually all devices
Streaming according to business needs.
Azure Media Player This is the single media player for all playback requirements.
Content Protection This helps in safely delivering content using Fairplay, AES,
 Widevine and PlayReady.

Video Indexer This unlocks the video’s insights.

Migration

Service Description
Azure Site Recovery It includes an in-built disaster recovery service to keep
running businesses.
Cost Management + It will help you optimize the cloud expenditures while
Billing maximizing cloud potential.
Azure Database It will help in simplifying on-premises database migration
Migration Service to the cloud.
Azure Migrate Using this you can easily discover right-size and migrating
on-premises VMs to Azure.
Data Box This includes appliances and solutions for transferring data
to Azure and edge computing.

Mixed Reality

Service Description
Azure Digital This service develops next-generation solutions for IoT spatial
Twins intelligence.
Spatial In this there is development of multi-user, spatially aware mixed reality
Anchors experience solutions.
Kinect DK In this, you can create computer vision and speech models by using a
developer kit with powerful AI sensors.
Remote This service is for rendering interactive, high-quality 3D content and
Rendering then, streaming the content to user’s devices in real-time.

Mobile

Service Description
App Service This service helps in faster development of powerful web and mobile
cloud apps.
Azure Maps This includes simple and safe location APIs for providing geospatial
attributes to data.
Notification Hubs This helps you to send push notifications to any platform from any
back end.
API This will help in publishing APIs securely to partners, employees and
Management developers.
Web Apps This is quick creation and deployment of mission-critical web apps at
scale.
Mobile Apps Using this you can build and host the backend of any mobile app.
API Apps This helps in easily building and utilization of Cloud APIs.
Azure mobile app This helps you in maintaining connectivity with Azure resources
from anywhere.
Visual Studio App This helps in continuously building, testing, releasing and monitoring
Centre mobile and desktop apps.
Xamarin This helps in creating cloud-based mobile apps at a very fast rate.
Web App for This helps in easy deployment and running containerized web apps
Containers that scale with your business requirements.

Networking

Service Description
Content Delivery This service provides a secure and reliable delivery of content
Network globally.
Azure This provides dedicated private network fiber connections to Azure.
ExpressRoute
Azure DNS This helps in hosting service for the DNS domain on Azure.
Virtual Network In this there is provisioning of private networks and optionally
connects on-premises datacenters.
Traffic Manager This helps in routing incoming traffic for higher availability and
performance.
Load Balancer This service helps in delivering high network performance and
availability to your applications.
VPN Gateway This is for setting secure and cross-premises connectivity.
Application This helps in developing secure and scalable web front ends in Azure.
Gateway
Azure DDoS This protects applications against Distributed Denial of Service
Protection (DDoS) attacks.
Network Watcher This is complete solution for network diagnostics and performance
monitoring.
Azure Firewall This has native firewall capabilities with in-built higher availability,
zero maintenance, and unlimited cloud scalability.
Virtual WAN This is for optimizing and automating of connectivity between
branches using Azure.
Azure Front Door This provides a secured, scalable delivery point globally for
microservice-based web applications.
Azure Bastion This includes private and fully managed RDP and SSH access for
virtual machines.
Azure Private Link This provides private access for services hosted on the Azure platform
and keeps data on the Microsoft network.
Azure Internet This helps in testing networking infrastructure change will impact
Analyzer customer performance.
Azure Firewall This contains centralized network security policy and route
Manager management for software-specific, globally distributed perimeters
Web Application This refers to a cloud-native web application firewall (WAF) service
Firewall that provides powerful protection for web apps.

Security

Service Description
Azure Active Directory This helps you synchronize on-premises directories and enable
single sign-on.
Azure Information This helps in protecting your sensitive information anywhere.
Protection
Azure Active DirectoryThis gives access to a domain without using the domain
Domain Services controller by joining Azure virtual machines.
Key Vault This will safeguard and maintain keys control and other secrets.
Security Center This will combine security management and implement
advanced threat protection measures across hybrid cloud
workloads.
Azure Dedicated HSM This service helps in managing hardware security modules used
in the cloud.
VPN Gateway This helps in setting up secure, cross-premises connectivity.
Application Gateway There is development secures, scalable and highly available web
front ends in Azure.
Azure DDoS Protection This is for protecting your applications from Distributed Denial
of Service (DDoS) attacks.
Azure Sentinel This will help in protecting enterprises by putting cloud-native
SIEM and intelligent security analytics to work.

Storage

Service Description
Storage Accounts This provides durable, scalable and highly available cloud storage
services.
Azure Backup This helps in protecting data and provides security from ransom
ware.
StorSimple This helps in lowering the cost using an enterprise-scale hybrid cloud
storage solution.
Azure Data Lake This refers to a highly scalable and secured data lake feature built on
Storage Azure Blob Storage.
Blob Storage It is REST-based object storage intended for unstructured data.
Disk Storage This provides secured disk options supporting virtual machines.
Managed Disks This provides secured disk storage supporting virtual machines.
Queue Storage This service is for effectively scaling apps according to traffic.
File Storage In this, there is a sharing of the file that uses standard SMB 3.0
protocol.
Data Box This includes appliances and solutions for transferring data to edge
compute and Azure.
Avere vFXT for This service is for running high-performance, file-centric workloads
Azure on the cloud.
Azure FXT Edge This provides hybrid storage optimization solution for HPC
Filer environments.
Azure HPC Cache It performs file caching service for (HPC) high-performance
computing.
Archive Storage It provides industry leading price point for storing rarely accessed
data.
Storage Explorer This service is for exploring and interacting with Azure Storage
resources.
Azure NetApp Files Enterprise-grade for Azure file sharing that is powered with NetApp.
Azure Data Share This refers to a simple and safe service for sharing big data with
external organizations.

Web

Service Description
App Service This service helps in quickly creating powerful web and mobile apps
for the cloud.
Azure Maps This includes simple and safe location APIs for providing geospatial
attributes to data.
Content Delivery This service is for faster, reliable and safe content delivery globally.
Network
Azure Cognitive This is an AI-based cloud search service for mobile and web app
Search development.
Notification Hubs This helps you to send push notifications to any platform from any
back end.
API Management This will help in publishing APIs securely to partners, employees and
developers.
Web Apps This is quick creation and deployment of mission-critical web apps at
scale.
Mobile Apps Using this you can build and host the backend of any mobile app.
API Apps This helps in easily building and utilization of Cloud APIs.
Web App for This helps in easy deployment and running containerized web apps
Containers that scale with your business requirements.
Azure SignalR This service is for adding real-time web functionalities.
Service
Azure Spring Cloud This is perfectly managed Spring Cloud service that is created and
controlled using Pivotal.

Windows Virtual Desktop

Service Description
Windows Virtual This service will provide the best virtual desktop experience,
Desktop delivered on Azure.

Now that we have understood about the services of Microsoft Azure let’s move to the
essential requirements of Azure cheat sheet that is Command Line Interface.

Command-Line Interface (CLI) of Azure

Microsoft Azure CLI is necessary for every Azure cheat sheet. Azure command-line
interface refers to the command-line tool used for the management of Azure
resources. Moreover, it offers better learning and understanding of the use of
commands. CLI is also a powerful tool for creating custom automation for using
Azure resources. Before proceeding further with this cheat sheet, let’s find the basics
with Azure CLI.

Azure CLI is best used with the selection of an Azure Cloud Shell environment
through a browser. In addition, the azure cheat sheet focuses on checking the
version of the Azure CLI by using the term ‘az –version’ command. After completing
the process, sign in with the ‘az login’ for using CLI commands with a local install.
Below there are steps for signing in to Azure CLI with ‘az login.’

• Firstly, run the ‘login’ command. However, if the CLI opens the default
browser, it will load an Azure sign-in page.
• Secondly, sign in with the use of account credentials. And, there you will see
a list of subscriptions related to a particular Azure account. However, the
Azure cheat sheet informs that subscription information having ‘isDefault: true’
is the existing activated subscription after login.

Now, let’s check the different types of commands that you can find with Microsoft
Azure.

Important Commands You Should Know

Some of the common commands in the CLI are, Some of the common commands in
the CLI are,

• Firstly, ‘az group’ that manages the resource groups.

• Secondly, ‘az VM’ which manages windows or Linux virtual machines.
• Then, ‘az storage account’ for the management of storage accounts.
• Fourthly, ‘az keyvault’ for managing the certificates and Key Vault.
• After that, ‘az webapp’ refers to managing Web applications.
• Lastly, ‘az sql server’ is for managing the SQL databases.

The CLI commands into groups is another important part of every azure cheat sheet.
These groups indicate specific Azure service and commands operating on that
service. However, below there is an example of ‘az configure’ command,

Globally Available Arguments

In this, we will talk about the arguments available globally which are ideal for every
command.

• Firstly, the ‘- -output’ argument. This helps in changing the output format. As
there are different formats available in this argument include JSON, tsv (tab-
separated values), YAML, jsonc (colorized JSON) and table (human-readable
ASCII tables).
• Secondly, the ‘- -query’ argument, which helps in filtering the output from
Azure services. Moreover, this argument utilizes the JMESPath query
language.
• Thirdly, the ‘- -verbose’ argument that helps in printing information regarding
resources created in Azure.
• Lastly, the ‘- -debug’ argument. This is ideal for printing additional information
about CLI operations as well as debugging objectives.

Conclusion

The Azure cheat sheet is loaded with essential information for learning the basics of
Microsoft Azure. moreover, the cheat sheet focuses on providing a detailed analysis
of Microsoft AZ-900 alongside with Azure services. Furthermore, you will get an
understanding of basic commands in azure to get an advantage for students and IT
professionals to learn about Azure. And, talking about the future then, the growing
adoption of Microsoft Azure, can help in getting a good cloud computing career.

Knowledge check
• 3 minutes

Choose the best response for each of the questions below. Then select “Check your
answers.”

1.

Which of the following can be used to manage governance across multiple Azure
subscriptions?

Azure Initiatives

Management Groups
That's correct. Management groups facilitate the hierarchical ordering of Azure
resources into collections, at a level of scope above subscriptions. Distinct
governance conditions can be applied to each management group, with Azure Policy
and Azure RBACs, to manage Azure subscriptions effectively. The resources and
subscriptions assigned to a management group automatically inherit the conditions
applied to the management group.
Resource Groups
2.

Which of the following is a logical unit of Azure services that links to an Azure
account?

Azure Subscription
That's correct. Azure subscription is a logical unit of Azure services that links to an
Azure account.

Management Group

Resource Group
3.

Which of the following statements is a valid statement about an Azure subscription?

Using Azure does not require a subscription

An Azure subscription is a logical unit of Azure services

That's correct. A subscription is a set of Azure services bundled together for tracking
and billing purposes.

You can't have more than one subscription

4.

Your billing is based on your usage of Azure resources and is invoiced at what
frequency?

Annually

Monthly
That's correct. You will be billed monthly.

Daily
5.

When you create an Azure resource like a virtual machine, you have to select where
its usage will be paid; what is this called?
 Billing account

Billing profile

Azure subscription
That's correct. Exactly, you need to have a subscription to create the resource within.
6.

Which Azure support plan is best for business-critical workloads?

Azure Developer
The Developer support plan does not have a fast enough SLA and allows for long
downtimes of your service.

Azure Professional Direct

Azure Standard

AZ-900: Azure Fundamentals Exam

Preparation
February 07, 2019

Having recently just passed AZ-900: Azure Fundamentals, I thought it would be a good
idea to share my approach, collection of reference material, and collated study notes.

If you are preparing for this exam, the Azure Fundamentals Learning Path on Microsoft
Learn is a fantastic resource that aligns very closely to the skills measured. Note: If you
completed the Azure Fundamentals Learning Path a while ago, it may be worth
revisiting as the underlying modules and units continue to change to remain relevant
and current.

My Approach

1. Review the skills measured (within exam details).

2. Highlight key phrases.

3. Draw lineage between the key phrases and Microsoft Learn modules.
4. Complete the Azure Fundamentals Learning Path.

5. Collate study notes.

Resources
Resource Title

Exam Details AZ-900: Microsoft Azure Fundamentals

Certification Microsoft Certified Azure Fundamentals

Learning Path MS Learn: Azure Fundamentals

Microsoft Learn Modules Aligned to AZ-900

Skill Measured Microsoft Learn Module

1. Understand Cloud Concepts Cloud Concepts - Principles of Cloud Computing

2. Understand Core Azure Services Core Cloud Services - Introduction to Azure

Core Cloud Services - Azure architecture and service

guarantees

Core Cloud Services - Azure compute options

Core Cloud Services - Azure data storage options

Core Cloud Services - Azure networking options

3. Understand Security, Privacy, Security, responsibility and trust in Azure

Compliance, and Trust

Control and organize Azure resources with Azure

Resource Manager
 Apply and monitor infrastructure standards with Azure
Policy

4. Understand Azure Pricing and Support Create an Azure account

Core Cloud Services - Manage services with the Azure

portal

Core Cloud Services - Azure architecture and service

guarantees

Predict costs and optimize spending for Azure

Key Phrases
1. Understand Cloud Concepts (15-20%)

Describe the benefits and considerations of using cloud services

• Understand terms such as High Availability, Scalability, Elasticity, Agility, Fault

Tolerance, and Disaster Recovery
• Understand the principles of economies of scale
• Understand the differences between Capital Expenditure (CapEx) and Operational
Expenditure (OpEx)
• Understand the consumption-based model

Describe the differences between Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and

Software-as-a-Service (SaaS)

• Describe Infrastructure-as-a-Service (IaaS)

• Describe Platform-as-a-Service (PaaS)
• Describe Software-as-a-Service (SaaS)
• Compare and contrast the three different service types

Describe the differences between Public, Private and Hybrid cloud models

• Describe Public cloud

• Describe Private cloud
• Describe Hybrid cloud
• Compare and contrast the three different cloud models

2. Understand Core Azure Services (30-35%)

Understand the core Azure architectural components

• Describe Regions
• Describe Availability Zones
• Describe Resource Groups
• Describe Azure Resource Manager
• Describe the benefits and usage of core Azure architectural components

Describe some of the core products available in Azure

• Describe products available for Compute such as Virtual Machines, Virtual

Machine Scale Sets, App Service and Functions
• Describe products available for Networking such as Virtual Network, Load
Balancer, VPN Gateway, Application Gateway and Content Delivery Network
• Describe products available for Storage such as Blob Storage, Disk Storage, File
Storage, and Archive Storage
• Describe products available for Databases such as CosmosDB, Azure SQL
Database, Azure Database Migration service, and Azure SQL Data Warehouse
• Describe the Azure Marketplace and its usage scenarios

Describe some of the solutions available on Azure

• Describe Internet of Things (IoT) and products that are available for IoT on Azure
such as IoT Fundamentals, IoT Hub and IoT Central
• Describe Big Data and Analytics and products that are available for Big Data and
Analytics such as SQL Data Warehouse, HDInsight and Data Lake Analytics
• Describe Artificial Intelligence (AI) and products that are available for AI such
as Azure Machine Learning Service and Studio
• Describe Serverless computing and Azure products that are available for
serverless computing such as Azure Functions, Logic Apps and App grid
• Describe the benefits and outcomes of using Azure solutions

Understand Azure management tools

• Understand Azure tools such as Azure CLI, PowerShell, and the Azure Portal
• Understand Azure Advisor

3. Understand Security, Privacy, Compliance, and Trust (25-30%)

Understand securing network connectivity in Azure

• Describe Azure Firewall

• Describe Azure DDoS Protection
• Describe Network Security Group (NSG)
• Choose an appropriate Azure security solution

Describe core Azure Identity services

• Understand the difference between authentication and authorization

• Describe Azure Active Directory
• Describe Azure Multi-Factor Authentication

Describe security tools and features of Azure

• Describe Azure Security

• Understand Azure Security center usage scenarios
• Describe Key Vault
• Describe Azure Information Protection (AIP)
• Describe Azure Advanced Threat Protection (ATP)

Describe Azure governance methodologies

• Describe Azure Policies

• Describe Initiatives
• Describe Role-Based Access Control (RBAC)
• Describe Locks
• Describe Azure Advisor security assistance

Understand monitoring and reporting options in Azure

• Describe Azure Monitor

• Describe Azure Service Health
• Understand the use cases and benefits of Azure Monitor and Azure Service Health

Understand privacy, compliance and data protection standards in Azure

• Understand industry compliance terms such as GDPR, ISO and NIST
• Understand the Microsoft Privacy Statement
• Describe the Trust center
• Describe the Service Trust Portal
• Describe Compliance Manager
• Determine if Azure is compliant for a business need
• Understand Azure Government services
• Understand Azure Germany services

4. Understand Azure Pricing and Support (25-30%)

Understand Azure subscriptions

• Describe an Azure Subscription

• Understand the uses and options with Azure subscriptions

Understand planning and management of costs

• Understand options for purchasing Azure products and services

• Understand options around Azure Free account
• Understand the factors affecting costs such as resource types, services, locations,
ingress and egress traffic
• Understand Zones for billing purposes
• Understand the Pricing calculator
• Understand the Total Cost of Ownership (TCO) calculator
• Understand best practices for minimizing Azure costs such as performing cost
analysis, creating spending limits and quotas, and using tags to identify cost owners; use
Azure reservations; use Azure Advisor recommendations
• Describe Azure Cost Management

Understand the support options available with Azure

• Understand support plans that are available such as Dev, Standard, Professional
Direct and Premier
• Understand how to open a support ticket
• Understand available support channels outside of support plan channels
• Describe the Knowledge Center
 Describe Azure Service Level Agreements (SLAs)

• Describe a Service Level Agreement (SLA)

• Determine SLA for a particular Azure product or service

Understand service lifecycle in Azure

• Understand Public and Private Preview features

• Understand how to access Preview
features
• Understand the term General Availability (GA)
• Monitor feature updates

Study Notes
1. Understand Cloud Concepts (15-20%)

High Availability (HA)

The ability of the application to continue running in a healthy state, without significant downtime. By "healthy
state," we mean the application is responsive, and users can connect to the application and interact with it.

Scalability
Increase or decrease the resources and services used based on the demand or workload at any given time.
Vertical Scaling (aka "scaling up) - add more resources to existing servers. Horizontal Scaling (aka "scaling out) -
add more servers.

Vertical Scaling (aka "scaling up")

The process of adding resources to increase the power of an existing server (e.g. adding a faster CPU,
additional CPUs, more memory).

Horizontal Scaling (aka "scaling out")

The process of adding more servers that function together as one unit (e.g. adding more servers).

Elasticity
Automatically add or remove resources based on demand.

Cloud Agility
Cloud agility is the ability to rapidly change an IT infrastructure in order to adapt to the evolving needs of the
business (e.g. if your service peaks one month, you can scale to demand and pay a larger bill for the month. If
the following month the demand drops, you can reduce the used resources and be charged less).

Fault Tolerance
Redundancy is often built into cloud services architecture so if one component fails, a backup component
takes its place. This is referred to as fault tolerance and it ensures that your customers aren't impacted when
an unexpected accident occurs.
Disaster Recovery
The ability to recover from rare but major incidents: non-transient, wide-scale failures, such as service
disruption that affects an entire region. Disaster recovery includes data backup and archiving, and may include
manual intervention, such as restoring a database from backup.

Economies of Scale
Economies of scale is the ability to do things more efficiently or at a lower-cost per unit when operating at a
larger scale (e.g. the ability to acquire hardware at a lower cost than if a single user or smaller business were
purchasing it, cloud providers can also make deals with local governments and utilities to get tax savings, lower
pricing on power, cooling, and high-speed network connectivity between sites).

Capital Expenditure (CapEx)

CapEx is the spending of money on physical infrastructure up front, and then deducting that expense from
your tax bill over time. CapEx is an upfront cost, which has a value that reduces over time.

Operational Expenditure (OpEx)

OpEx is spending money on services or products now and being billed for them now. You can deduct this
expense from your tax bill in the same year. There is no upfront cost, you pay for a service or product as you
use it.

Infrastructure-as-a-Service (IaaS) (shared responsibility model)

Infrastructure as a Service is the most flexible category of cloud services. It aims to give you complete control
over the hardware that runs your application (IT infrastructure servers and virtual machines (VMs), storage,
networks, and operating systems). Instead of buying hardware, with IaaS, you rent it. It's an instant computing
infrastructure, provisioned and managed over the internet.

Platform-as-a-Service (PaaS)
PaaS provides an environment for building, testing, and deploying software applications. The goal of PaaS is to
help you create an application quickly without managing the underlying infrastructure. For example, when
deploying a web application using PaaS, you don't have to install an operating system, web server, or even
system updates. PaaS is a complete development and deployment environment in the cloud.

Software-as-a-Service (SaaS)
SaaS is software that is centrally hosted and managed for the end customer. It is usually based on an
architecture where one version of the application is used for all customers, and licensed through a monthly or
annual subscription. Office 365, Skype, and Dynamics CRM Online are perfect examples of SaaS software.

Compare & Contrast (Responsibilities)

User Cloud Provider

IaaS Purchase, installation, configuration, Responsible for ensuring that the underlying cloud
and management of their own software infrastructure (such as virtual machines, storage, and
operating systems, middleware, and networking) is available for the user.
applications.
 PaaS Responsible for the development of Responsible for operating system management, and
their own applications. network and service configuration.

SaaS Users just use the application software; The cloud provider is responsible for the provision,
they are not responsible for any management, and maintenance of the application
maintenance or management of that software.
software.

Public Cloud (most common)

This is the most common deployment model. In this case, you have no local hardware to manage or keep up-
to-date – everything runs on your cloud provider’s hardware.

Private Cloud (2nd most common)

In a private cloud, you create a cloud environment in your own datacenter and provide self-service access to
compute resources to users in your organization.

Hybrid Cloud (stepping stone to cloud, segmenting work, cloud bursting)

A hybrid cloud combines public and private clouds, allowing you to run your applications in the most
appropriate location.

Compare & Contrast (Advantages & Disadvantages)

Advantages Disadvantages

Public + High Scalability/Agility - May not be able to meet specific security requirements
+ PAYG (No CapEx, OpEx model) - May not be able to meet specific compliance
+ Not responsible for hardware requirements
maintenance - You don't own the hardware and may not be able to
+ Minimal technical knowledge manage them as you wish
required

Private + You have complete control - Upfront CapEx costs

+ Can meet strict security and - Owning equipment limits agility to scale
compliance requirements - Requires high technical knowledge
 Hybrid + Advantages of both Public and - Can be more expensive than selecting one deployment
Private model
- Can be more complicated to set up and manage

Benefits of Cloud Computing

• Cost Effective: Pay-as-you-go, consumption-based pricing model. Rather than

paying for hardware up-front, you rent hardware and pay for the resources that you use.
• Scalable: Increase or decrease the resources and services used based on the demand
or workload at any given time.
• Elastic: Automatically add or remove resources based on demand.
• Current: Computer hardware and software is automatically maintained by the cloud
provider.
• Reliable: Cloud providers offer data backup, disaster recovery, and data replication
services. Redundancy is often built into cloud services architecture so if one component
fails, a backup component takes its place.
• Global: Cloud providers have fully-redundant datacenters located in various regions
all over the globe (performance, redundancy, compliance).
• Secure: Cloud providers offer a broad set of policies, technologies, controls, and
expert technical skills that can provide better security than most organizations can
otherwise achieve.

2. Understand Core Azure Services (30-35%)

Geography (Americas, Europe, Asia Pacific, Middle East and Africa)
An Azure geography is a discrete market typically containing two or more regions that preserve data residency
and compliance boundaries.

Region (e.g. North Europe, West Europe, Germany North, Germany West Central)
A region is a geographical area on the planet containing at least one, but potentially multiple datacenters that
are nearby and networked together with a low-latency network.

Availability Zone (e.g. Zone 1, Zone 2, Zone 3 - within a particular region)

Availability Zones are physically separate datacenters within an Azure region. Each Availability Zone is made up
of one or more datacenters equipped with independent power, cooling, and networking.

Availability Sets
Availability Sets comprise of update and fault domains. Update Domain: When a maintenance event occurs,
the update is sequenced through update domains. Fault Domain: Fault domains provide for the physical
separation of a workload across different hardware in the datacenter.
Hierarchy: Geography > Region > Availability Zone > Availability Set > Fault Domain/Update Domain

Region Pair
Each Azure region is always paired with another region within the same geography (such as US, Europe, or
Asia) at least 300 miles away. This approach allows for the replication of resources (such as virtual machine
storage) across a geography that helps reduce the likelihood of interruptions due to events such as natural
disasters, civil unrest, power outages, or physical network outages affecting both regions at once.

Resource Group
Resource groups are a fundamental element of the Azure platform. A resource group is a logical container for
resources deployed on Azure.

Azure Resource Manager

Azure Resource Manager is the interface for managing and organizing cloud resources. Think of Resource
Manager as a way to deploy cloud resources.

Compute

Virtual Machines Windows or Linux virtual machines (VMs) hosted in Azure

Virtual Machine Scale Scaling for Windows or Linux VMs hosted in Azure
Sets

App Service PaaS offerings to build, deploy, and scale enterprise-grade web, mobile, and API
apps.

Azure Functions An event-driven, serverless compute service

Networking
Virtual Network Connects VMs to incoming Virtual Private Network (VPN) connections

Load Balancer Balances inbound and outbound connections to applications or service

endpoints

VPN Gateway Accesses Azure Virtual Networks through high-performance VPN gateways

Application Gateway Optimizes app server farm delivery while increasing application security

Content Delivery Delivers high-bandwidth content to customers globally

Network

Storage
 Blob Storage Storage service for very large objects, such as video files or bitmaps

Disk Storage Provides disks for virtual machines, applications, and other services.

File Storage Azure Files offers fully-managed file shares in the cloud.

Archive Storage Storage facility for data that is rarely accessed.

Databases
CosmosDB Globally distributed database that supports NoSQL options

Azure SQL Database Fully managed relational database with auto-scale, integral intelligence, and
robust security

Azure Database Migrates your databases to the cloud with no application code changes
Migration Service

Azure SQL Data Fully managed data warehouse with integral security at every level of scale at
Warehouse no extra cost

Azure Marketplace
The Marketplace allows customers to find, try, purchase, and provision applications and services from
hundreds of leading service providers, all certified to run on Azure. Azure Marketplace is a service on Azure
that helps connect end users with Microsoft partners, independent software vendors (ISVs), and start-ups that
are offering their solutions and services, which are optimized to run on Azure.

Internet of Things (IoT)

IoT Hub Messaging hub that provides secure communications and monitoring between millions of
IoT devices

IoT Central Fully-managed global IoT software as a service (SaaS) solution that makes it easy to connect,
monitor, and manage your IoT assets at scale

IoT Edge Push your data analysis onto your IoT devices instead of in the cloud allowing them to react
more quickly to state changes.

Big Data and Analytics

 SQL Data Run analytics at a massive scale using a cloud-based Enterprise Data Warehouse (EDW)
Warehouse that leverages massive parallel processing (MPP) to run complex queries quickly across
petabytes of data

HDInsight Process massive amounts of data with managed clusters of Hadoop clusters in the cloud

Data Lake On-demand ("pay as you go") scalable analytics service that allows you to write queries to
Analytics transform your data and extract valuable insights.

Artificial Intelligence
Azure Cloud-based environment you can use to develop, train, test, deploy, manage, and track
Machine machine learning models. It can auto-generate a model and auto-tune it for you. It will let
Learning you start training on your local machine, and then scale out to the cloud
Service

Azure Collaborative, drag-and-drop visual workspace where you can build, test, and deploy
Machine machine learning solutions using pre-built machine learning algorithms and data-handling
Learning modules
Studio

Serverless Computing
Azure An event-driven, serverless compute service
Functions

Logic Apps Help you automate and orchestrate tasks, business processes, and workflows when you
need to integrate apps, data, systems, and services across enterprises or organizations.

Event Grid Allows you to easily build applications with event-based architectures. It's a fully-managed,
intelligent event routing service that uses a publish-subscribe model for uniform event
consumption.

Azure CLI
Azure CLI is a cross-platform command-line program that connects to Azure and executes administrative
commands on Azure resources. Cross-platform means that it can be run on Windows, Linux, or macOS.

PowerShell
Azure PowerShell is a module that you add to Windows PowerShell or PowerShell Core that enables you to
connect to your Azure subscription and manage resources.

Azure Portal
The Azure portal is a website that you can access with a web browser, by going to the URL
https://portal.azure.com. From here, you can interact manually with all the Azure services. The portal is a web-
 based administration site that lets you interact with all of your subscriptions and resources you have created.

Azure Advisor
Azure Advisor is a free service built into Azure that provides recommendations on high availability, security,
performance, and cost. Advisor analyzes your deployed services and looks for ways to improve your
environment across those four areas.

3. Understand Security, Privacy, Compliance, and Trust (25-30%)

Azure Firewall
Azure Firewall is a managed, cloud-based, network security service that protects your Azure Virtual Network
resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud
scalability. Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of non-HTTP/S
protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and File Transfer Protocol (FTP). It
also.provides outbound, network-level protection for all ports and protocols, and application-level protection
for outbound HTTP/S.

Azure DDoS Protection

DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring DDoS mitigation
capacity to every Azure region. The Azure DDoS Protection service protects your Azure applications by
scrubbing traffic at the Azure network edge before it can impact your service's availability. Within a few
minutes of attack detection, you are notified using Azure Monitor metrics.

Network Security Group (NSG)

NSGs operate at layers 3 & 4, and provide a list of allowed and denied communication to and from network
interfaces and subnets. NSGs are fully customizable, and give you the ability to fully lock down network
communication to and from your virtual machines. By using NSGs, you can isolate applications between
environments, tiers, and services.

Authentication (Who are you?)

Authentication is the process of establishing the identity of a person or service looking to access a resource. It
involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security
principal for identity and access control use. It establishes if they are who they say they are.

Authorization (What are you allowed to do?)

Authorization is the process of establishing what level of access an authenticated person or service has. It
specifies what data they're allowed to access and what they can do with it.

Azure Active Directory (Authentication, SSO, Application Management, B2B Identity Services, Device
Management)
Azure AD is a cloud-based identity service. It has built in support for synchronizing with your existing on-
premises Active Directory or can be used stand-alone. This means that all your applications, whether on-
premises, in the cloud (including Office 365), or even mobile can share the same credentials. Administrators
and developers can control access to internal and external data and applications using centralized rules and
policies configured in Azure AD.

• Authentication
• Single Sign-On (SSO)
• Application Management
• Business to Business (B2B) Identity Services
• Device Management

Azure Multi-Factor Authentication

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or more
elements for full authentication.
These elements fall into three categories:

• Something you know (e.g. password)

• Something you possess (e.g. mobile app)
• Something you are (e.g. fingerprint or face scan)

Azure Security Center

Security Center is a monitoring service that provides threat protection across all of your services both in Azure,
and on-premises. Available in two tiers, Free (limited to assessments and recommendations only); Standard
(full suite of security-related services including continious monitoring, threat detection and just-in-time access
control)

Azure Security Center - Usage Scenarios

• Incident Response (Detect, Assess, Diagnose)

• Implement Recommendations

Key Vault
Azure Key Vault is a secret store: a centralized cloud service for storing application secrets. Key Vault helps you
control your applications' secrets by keeping them in a single central location and providing secure access,
permissions control, and access logging.

Microsoft Azure Information Protection (MSIP)

A cloud-based solution that helps organizations classify and optionally protect documents and emails by
applying labels. Analyse data flows, detect risky behaviour, track access to documents, prevent data leakage or
misuse of confidential informatioon.

Azure Advanced Threat Protection (Azure ATP)

A cloud-based security solution that identifies, detects, and helps you investigate advanced threats,
compromised identities, and malicious insider actions directed at your organization. Azure ATP is capable of
detecting known malicious attacks and techniques, security issues, and risks against your network.

Azure Policies
Azure Policy is a service you can use to create, assign, and manage policies. These policies apply and enforce
rules that your resources need to follow. These policies can enforce these rules when resources are created,
and can be evaluated against existing resources to give visibility into compliance.

Initiatives
Initiatives work alongside policies in Azure Policy. An initiative definition is a set or group of policy definitions
to help track your compliance state for a larger goal.

Role-Based Access Control

RBAC provides fine-grained access management for Azure resources, enabling you to grant users the specific
rights they need to perform their jobs. RBAC is considered a core service and is included with all subscription
levels at no cost.

Resource Locks
Resource locks are a setting that can be applied to any resource to block modification or deletion. Resource
locks can set to either Delete or Read-only. Delete will allow all operations against the resource but block the
ability to delete it. Read-only will only allow read activities to be performed against it, blocking any
modification or deletion of the resource. Resource locks can be applied to subscriptions, resource groups, and
to individual resources, and are inherited when applied at higher levels.

Azure Monitor
Azure Monitor maximizes the availability and performance of your applications by delivering a comprehensive
solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments. It
helps you understand how your applications are performing and proactively identifies issues affecting them
and the resources they depend on.

Azure Service Health

Azure Service Health is a suite of experiences that provide personalized guidance and support when issues
with Azure services affect you. It can notify you, help you understand the impact of issues, and keep you
updated as the issue is resolved. Azure Service Health can also help you prepare for planned maintenance and
changes that could affect the availability of your resources.

General Data Protection Regulation (GDPR)

As of May 25, 2018, a European privacy law — GDPR — is in effect. GDPR imposes new rules on companies,
government agencies, non-profits, and other organizations that offer goods and services to people in the
European Union (EU), or that collect and analyze data tied to EU residents. The GDPR applies no matter where
you are located.

ISO/IEC 27018
Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice, covering the
processing of personal information by cloud service providers.

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to manage
cybersecurity-related risks. Microsoft cloud services have undergone independent, third-party Federal Risk and
Authorization Management Program (FedRAMP) Moderate and High Baseline audits, and are certified
according to the FedRAMP standards. Additionally, through a validated assessment performed by the Health
Information Trust Alliance (HITRUST), a leading security and privacy standards development and accreditation
organization, Office 365 is certified to the objectives specified in the NIST CSF.

Microsoft Privacy Statement

The Microsoft privacy statement explains what personal data Microsoft processes, how Microsoft processes it,
and for what purposes.

Trust Center
Trust Center is a website resource containing information and details about how Microsoft implements and
supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. The
Trust Center is an important part of the Microsoft Trusted Cloud Initiative, and provides support and resources
for the legal and compliance community.

Service Trust Portal

The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public site for
 publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services.

Compliance Manager
Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that enables you
to track, assign, and verify your organization's regulatory compliance activities related to Microsoft
professional services and Microsoft cloud services such as Office 365, Dynamics 365, and Azure.

Azure Government Services

Azure Government is a cloud environment specifically built to meet compliance and security requirements for
US government. Physically separated instance of Microsoft Azure, specifically for U.S. Government, meets
complex compliance standards, designed to exceed U.S. Government requirements.

4. Understand Azure Pricing and Support (25-30%)

Azure Account
An Azure account is tied to a specific identity and holds information like: Name, email, and contact
preferences; Billing information such as a credit card. An Azure account is what you use to sign in to the Azure
website and administer or deploy services. Every Azure account is associated with one or more subscriptions.

Azure Free Account

• Subset of Azure services free for 12 months (750 VM hours, 5GB Storage, 250GB SQL
DB, etc)
• $200 USD free credit (170 euro) to explore any Azure service for 30 days
• 25+ services always free

Service Metric What

App Service 10 Web, mobile, or API apps

Functions 1M Requires per month

Event Grid 100,000 Operations per month

Azure Kubernetes Service Free Deploy and manage containers

Face API 30,000 Transactions per month

DevTest Labs Free

Active Directory 500,000 Objects

AD B2C 50,000 Monthly stored users

Service Fabric Free

Azure DevOps 5 Users

Azure ML Studio 100 Modules per experiment

Azure Security Center Free Policy assessment and recoommendations

Data Factory 5 Activities

Search 10,000 Documents

Notification Hubs 1M Push notificatioons

Batch Free

Automation 500 mins Job runtime

Data Catalog Unlimited Users

Translator Text API 2M Characters

Virtual Network 50 Virtual networks

Inter-VNET data transfer Inbound only

Bandwidth 5GB Outbound

ML Service Free Workspaces

 Azure Subscription
An Azure subscription is a logical container used to provision resources in Microsoft Azure. It holds the details
of all your resources like virtual machines, databases, etc.

Azure Subscription - Use and Options

Azure offers free and paid subscription options to suit different needs and requirements. The most commonly
used subscriptions are:

• Free: An Azure free subscription includes a $200 credit to spend on any service for
the first 30 days, free access to the most popular Azure products for 12 months, and access
to more than 25 products that are always free.
• Pay-As-You-Go: A Pay-As-You-Go (PAYG) subscription charges you monthly for the
services you used in that billing period. This subscription type is appropriate for a wide
range of users, from individuals to small businesses, and many large organizations as well.
• Enterprise Agreement: An Enterprise Agreement (EA) provides flexibility to buy
cloud services and software licenses under one agreement, with discounts for new licenses
and Software Assurance. It's targeted at enterprise-scale organizations.
• Student: An Azure for Students subscription includes $100 in Azure credits to be
used within the first 12 months plus select free services without requiring a credit card at
sign-up. You must verify your student status through your organizational email address.

Every Azure Subscription Includes

• Free access to billing and subscription support

• Azure products and services documentation
• Online self-help documentation
• Community support forums

Purchasing Options for Azure Products and Services

• Enterprise: Enterprise customers sign an Enterprise Agreement (EA) with Azure

that commits them to spend a negotiated amount on Azure services, which they typically
pay annually. Enterprise customers also have access to customized Azure pricing.
• Web direct: Direct Web customers pay general public prices for Azure resources,
and their monthly billing and payments occur through the Azure website.
• Cloud Solution Provider: Cloud Solution Provider (CSP) typically are Microsoft
partner companies that a customer hires to build solutions on top of Azure. Payment and
billing for Azure usage occur through the customer's CSP.
 Factors Affecting Costs

• Resource Type: Costs are resource-specific, so the usage that a meter tracks and the
number of meters associated with a resource depend on the resource type.
• Service: Azure usage rates and billing periods can differ between Enterprise, Web
Direct, and Cloud Solution Provider (CSP) customers. Some subscription types also include
usage allowances, which affect costs.
• Location: Azure has datacenters all over the world. Usage costs vary between
locations that offer particular Azure products, services, and resources based on popularity,
demand, and local infrastructure costs.

Zones
A Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and include
the listed countries (regions) listed.

• Zone 1 (United States, Europe, Canada, UK, France)

• Zone 2 (Asia Pacific, Japan, Australia, India, Korea)
• Zone 3 (Brazil)
• DE Zone 1 (Germany)

Pricing Calculator
The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify
properties and options of the services. It outputs the costs per service and total cost for the full estimate.

Total Cost of Ownership (TCO) Calculator

If you are starting to migrate to the cloud, a useful tool you can use to predict your cost savings is the Total
Cost of Ownership (TCO) calculator. TCO helps you estimate cost savings realized by mirating to Azure.

Best Practices for Minimizing Azure Costs

• Spending Limits: Spending limit in Azure exists to prevent spending over your
credit amount. All new customers who sign up for the trial or offers that includes credits
over multiple months have the spending limit turned on by default. The spending limit is $0.
It can’t be changed. The spending limit isn’t available for subscription types such as Pay -As-
You-Go subscriptions and commitment plans.
• Quotas: Microsoft Azure Limits
• Tags: You can use tags to group your billing data. For example, if you're running
multiple VMs for different organizations, use the tags to group usage by cost center. You can
also use tags to categorize costs by runtime environment, such as the billing usage for VMs
running in the production environment. When exporting billing data or accessing it through
billing APIs, tags are included in that data and can be used to further slice your data from a
 cost perspective.
• Reserved Instances
: Reserved instances are purchased in one-year or three-year terms, with payment required
for the full term up front. After it's purchased, Microsoft matches up the reservation to
running instances and decrements the hours from your reservation. Reservat ions can be
purchased through the Azure portal. And because reserved instances are a compute
discount, they are available for both Windows and Linux VMs.

Azure Cost Management

Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into
where your cloud money is going. You can see historical breakdowns of what services you are spending your
money on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and
analyze your cost areas.

Support Plans
Scope Tech Response Architecture Operations Training Proactive Launch
Support Times Guidance Support

Developer Non-Product Business Sev C; < 8 General

Hours bus hours Guidance
(email)

Standard Production 24x7 Sev A; < 1

(email & hour
phone)

Professional Business Based on Onboarding Azure ProDirect

Direct Critical best practice services, Engineering-led Delivery
by ProDirect service reviews, web seminars Manager
delivery Azure Advisor
manager consultations

Premier Substantial Customer Technical Azure ProDirect Azure Event

Dependence specific account Engineering-led Delivery Management
architectrual manager-led web seminars, Manager (available for
support (e.g. service reviews on-demand Designated additional fee)
design and reporting training Technical
reviews, perf Account
tuning, Manager
config)

Available Support Channels outside of Support Plan Channels

• Azure Knowledge Center

• Microsoft Developer Network (MSDN) Forums
• Stack Overflow
• Server Fault
• Azure Feedback Forums
• Twitter

How to Open a Support Ticket

Azure Portal > Help + Support > New Support Request

Knowledge Center
The Azure Knowledge Center is a searchable database that contains answers to common support questions,
from a community of Azure experts, developers, customers, and users. You can browse through all responses
within the Azure Knowledge Center. Find specific solutions by entering keyword search terms into the text-
entry field and further refine your search results by selecting products or tags from the lists provided by two
dropdown lists.

Service Level Agreement (SLA)

Formal documents called Service-Level Agreements (SLAs) capture the specific terms that define the
performance standards that apply to Azure.

• SLAs describe Microsoft's commitment to providing Azure customers with speci fic
performance standards.
• There are SLAs for individual Azure products and services.
• SLAs also specify what happens if a service or product fails to perform to a governing
SLA's specification.

Note: Azure does not provide SLAs for most services under the Free or Shared tiers.

Determine SLA for a particular Azure product or service

There are three key characteristics of SLAs for Azure products and services:

1. Performance Targets
2. Uptime and Connectivity Guarantees
3. Service credits (percentage of the applicable monthly service fees credited to you if a
service fails to meet uptime guarantee)

Private Preview
This means that an Azure feature is available to * specific* Azure customers for evaluation purposes. This is
typically by invite only and issued directly by the product team responsible for the feature or service.

Public Preview
This means that an Azure feature is available to all Azure customers for evaluation purposes. These previews
can be turned on through the preview features page as detailed below.

How to Access Preview Features

You can activate specific preview features through the preview features page (https://azure.microsoft.com/en-
gb/services/preview/). This page lists the preview features that are available for evaluation. To preview a
feature, select the Try it button for the relevant feature. Another preview area you can try is the next version
of the Azure portal. Use the URL https://preview.portal.azure.com

General Availability (GA)

Once a feature has been evaluated and tested successfully, it might be released to customers as part of Azure's
default product set. This release is referred to as General Availability (GA).

Monitor Feature Updates

The Azure portal "What's New" link on the ? help menu provides a list of recent updates you can periodically
check to see what's changed in Azure. Alternatively, you can use the Azure Updates page
(https://azure.microsoft.com/updates/).

Exam AZ-900: Microsoft Azure

Fundamentals
Prepare for Exam AZ-900: Microsoft Azure
Fundamentals. Free demo questions with
answers and explanations.
Question 1
What are two characteristics of the public cloud? Each correct answer
presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers
• Dedicated hardware.
• Unsecured connections.
• Limited storage.
• Metered pricing.
• Self-service management.

Explanation (click to expand)

Advantages of public clouds:

Lower costs-no need to purchase hardware or software, and you pay only for the service you
use.

No maintenance-your service provider provides the maintenance.

Near-unlimited scalability-on-demand resources are available to meet your business needs.

 High reliability-a vast network of servers ensures against failure.

References (click to expand)

Public Cloud vs Private Cloud vs Hybrid Cloud

What is a Public Cloud - Definition

Question 2
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

When planning to migrate a public website to Azure, you must plan to ***
PAY MONTHLY USAGE *** costs.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Deploy a VPN.
• Pay to transfer all the website data to Azure.
• Reduce the number of connections to the website.

Explanation (click to expand)

Azure doesn't directly bill based on the resource cost. Charges for a resource are calculated
by using one or more meters. Meters are used to track a resource's usage throughout its
lifetime. These meters are then used to calculate the bill.

For example, when you create a single Azure resource, like a virtual machine, it has one or
more meter instances created. Meters are used to track the usage of the resource over time.
Each meter emits usage records that are used by Azure to calculate the bill.

For example, a single virtual machine (VM) created in Azure may have the following meters
created to track its usage:

Compute Hours, IP Address Hours, Data Transfer In, Data Transfer Out, Standard Managed
Disk, Standard Managed Disk Operations, Standard IO-Disk, Standard IO-Block Blob Read,
Standard IO-Block Blob Write, Standard IO-Block Blob Delete
 References (click to expand)
Understand your Microsoft Azure bill

Pricing calculator

Question 3
Your company plans to migrate all its data and resources to Azure.

The company's migration plan states that only platform as a service (PaaS)
solutions must be used in Azure.

You need to deploy an Azure environment that supports the planned

migration.

Solution: You create an Azure App Service and Azure SQL databases.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

Platform as a service (PaaS) is a complete development and deployment environment in the
cloud, with resources that enable you to deliver everything from simple cloud-based apps to
sophisticated, cloud-enabled enterprise applications. You purchase the resources you need
from a cloud service provider on a pay-as-you-go basis and access them over a secure
Internet connection.

Like IaaS, PaaS includes infrastructure-servers, storage and networking-but also middleware,
development tools, business intelligence (BI) services, database management systems and
more. PaaS is designed to support the complete web application lifecycle: building, testing,
deploying, managing and updating.

PaaS allows you to avoid the expense and complexity of buying and managing software
licenses, the underlying application infrastructure and middleware, container orchestrators
such as Kubernetes or the development tools and other resources. You manage the
applications and services you develop and the cloud service provider typically manages
everything else.
 References (click to expand)
What is PaaS?

Question 4
Your company hosts an accounting named App1 that is used by all the
customers of the company.

App1 has low usage during the first three weeks of each month and very
high usage during the last week of each month.

Which benefit of Azure Cloud Services supports cost management for this
type of usage pattern?

Answers
• High availability.
• High latency.
• Elasticity.
• Load balancing.

Explanation (click to expand)

Elastic computing is the ability to quickly expand or decrease computer processing, memory,
and storage resources to meet changing demands without worrying about capacity planning
and engineering for peak usage. Typically controlled by system monitoring tools, elastic
computing matches the amount of resources allocated to the amount of resources actually
needed without disrupting operations. With cloud elasticity, a company avoids paying for
unused capacity or idle resources and doesn't have to worry about investing in the purchase or
maintenance of additional resources and equipment.

While security and limited control are concerns to take into account when considering elastic
cloud computing, it has many benefits. Elastic computing is more efficient than your typical
IT infrastructure, is typically automated so it doesn't have to rely on human administrators
around the clock, and offers continuous availability of services by avoiding unnecessary
slowdowns or service interruptions.

References (click to expand)

What is elastic computing or cloud elasticity?
 Question 5
You plan to migrate a web application to Azure. The web application is
accessed by external users.

You need to recommend a cloud deployment solution to minimize the

amount of administrative effort used to manage the web application.

What should you include in the recommendation?

Answers
• Software as a service (SaaS).
• Platform as a service (PaaS).
• Infrastructure as a service (IaaS).
• Database as a service (DaaS).

Explanation (click to expand)

IaaS (Information as a Service). IaaS is the most basic level of cloud-based solutions, which
refers to renting an IT infrastructure as a fully outsourced service. In this category, the cloud
provider lets you rent servers, VMs, storage, network and operating systems on a pay-as-you-
go basis.

Examples: Amazon EC2 and S3, Google Compute Engine, Windows Azure.

PaaS (Platform as a Service). PaaS is the cloud solution where, apart from providing an
infrastructure, cloud providers also issue an on-demand computing environment to develop,
test, run and collaborate with components such as web servers, database management
systems, and software development kits (SDKs) for various programming languages.

Examples: AWS Elastic Beanstalk, Heroku, Windows Azure, Force.com, Google App
Engine.

SaaS (Software as a Service). SaaS providers offer fully functional web-based application
softwares tailored to a variety of business needs such as project tracking, web conferencing,
marketing automation or business analytics.

Examples: Google Apps, Microsoft Office 365, Gmail, Yahoo and Facebook.

References (click to expand)

Windows Azure IaaS vs. PaaS vs. SaaS
 Question 6
You have an on-premises network that contains 100 servers.

You need to recommend a solution that provides additional resources to your

users. The solution must minimize capital and operational expenditure costs.

What should you include in the recommendation?

Answers
• A complete migration to the public cloud.
• An additional data center.
• A private cloud.
• A hybrid cloud.

Explanation (click to expand)

Private cloud is a type of cloud computing that delivers similar advantages to public cloud,
including scalability and self-service, but through a proprietary architecture. Unlike public
clouds, which deliver services to multiple organizations, a private cloud is dedicated to the
needs and goals of a single organization.

As a result, private cloud is best for businesses with dynamic or unpredictable computing
needs that require direct control over their environments, typically to meet security, business
governance or regulatory compliance requirements.

There are three general cloud deployment models: public, private and hybrid.

A public cloud is where an independent, third-party provider, such as Amazon Web Services
(AWS) or Microsoft Azure, owns and maintains compute resources that customers can access
over the internet. Public cloud users share these resources, a model known as a multi-tenant
environment.

By comparison, a private cloud is created and maintained by an individual enterprise. The

private cloud might be based on resources and infrastructure already present in an
organization's on-premises data center or on new, separate infrastructure. In both cases, the
enterprise itself owns and operates the private cloud.

A hybrid cloud is a model in which a private cloud connects with public cloud infrastructure,
allowing an organization to orchestrate workloads across the two environments. In this
model, the public cloud effectively becomes an extension of the private cloud to form a
single, uniform cloud. A hybrid cloud deployment requires a high level of compatibility
between the underlying software and services used by both the public and private clouds.

When an organization properly architects and implements a private cloud, it can provide most
of the same benefits found in public clouds, such as user self-service and scalability, as well
 as the ability to provision and configure virtual machines (VMs) and change or optimize
computing resources on demand. An organization can also implement chargeback tools to
track computing usage and ensure business units pay only for the resources or services they
use.

Private clouds are often deployed when public clouds are deemed inappropriate or inadequate
for the needs of a business. For example, a public cloud might not provide the level of service
availability or uptime that an organization needs. In other cases, the risk of hosting a mission-
critical workload in the public cloud might exceed an organization's risk tolerance, or there
might be security or regulatory concerns related to the use of a multi-tenant environment. In
these cases, an enterprise might opt to invest in a private cloud to realize the benefits of cloud
computing, while maintaining total control and ownership of its environment.

However, private clouds also have some disadvantages. First, private cloud technologies,
such as increased automation and user self-service, can bring some complexity into an
enterprise. These technologies typically require an IT team to rearchitect some of its data
center infrastructure, as well as adopt additional management tools. As a result, an
organization might have to adjust or even increase its IT staff to successfully implement a
private cloud. This is different than public cloud, where most of the underlying complexity is
handled by the cloud provider.

Another potential disadvantage of private clouds is cost. A benefit of public cloud is cost
mitigation through the use of computing as a "utility" -- customers only pay for the resources
they use. When a business owns its private cloud, however, it bears all of the acquisition,
deployment, support and maintenance costs involved.

References (click to expand)

What is private cloud (internal cloud or corporate cloud)

Question 7
You plan to deploy several Azure virtual machines.

You need to ensure that the services running on the virtual machines are
available if a single data center fails.

Solution: You deploy the virtual machines to two or more scale sets.

Does this meet the goal?

Answers
• Yes.
• No.
 Explanation (click to expand)
Azure virtual machine scale sets let you create and manage a group of identical, load
balanced VMs. The number of VM instances can automatically increase or decrease in
response to demand or a defined schedule. Scale sets provide high availability to your
applications, and allow you to centrally manage, configure, and update a large number of
VMs. With virtual machine scale sets, you can build large-scale services for areas such as
compute, big data, and container workloads.

To provide redundancy and improved performance, applications are typically distributed

across multiple instances. Customers may access your application through a load balancer
that distributes requests to one of the application instances. If you need to perform
maintenance or update an application instance, your customers must be distributed to another
available application instance. To keep up with additional customer demand, you may need to
increase the number of application instances that run your application.

A region is a set of datacenters deployed within a latency-defined perimeter and connected

through a dedicated regional low-latency network. With more global regions than any other
cloud provider, Azure gives customers the flexibility to deploy applications where they need
to. Azure is generally available in 46 regions around the world, with plans announced for 8
additional regions.

References (click to expand)

Azure regions

Question 8
You plan to map a network drive from several computers that run Windows
10 to Azure Storage. You need to create a storage solution in Azure for the
planned mapped drive.

What should you create?

Answers
• An Azure SQL database.
• A virtual machine data disk.
• A Files service in a storage account.
• A Blobs service in a storage account.

Explanation (click to expand)

 Azure Files offers fully managed file shares in the cloud that are accessible via the industry
standard Server Message Block (SMB) protocol. Azure file shares can be mounted
concurrently by cloud or on-premises deployments of Windows, Linux, and macOS.
Additionally, Azure file shares can be cached on Windows Servers with Azure File Sync for
fast access near where the data is being used.

Azure Files:

Extend your servers to Azure with Sync for on-premises performance and capability.

Secure data at rest and in-transit using SMB 3.0 and HTTPS.

Simplify cloud file share management using familiar tools.

Create high-performance file shares using the Premium Files storage tier.

References (click to expand)

What is Azure Files?

Question 9
Your company plans to deploy an Artificial Intelligence (AI) solution in
Azure.

What should the company use to build, test, and deploy predictive analytics
solutions?

Answers
• Azure Logic Apps.
• Azure Machine Learning Studio.
• Azure Batch.
• Azure Cosmos DB.

Explanation (click to expand)

Machine Learning Studio is a powerfully simple browser-based, visual drag-and-drop
authoring environment where no coding is necessary. Go from idea to deployment in a matter
of clicks.

Azure Machine Learning is designed for applied machine learning. Use best-in-class
algorithms and a simple drag-and-drop interface-and go from idea to deployment in a matter
of clicks.
 References (click to expand)
Machine Learning Studio

Question 10
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

*** AZURE POLICIES PROVIDE *** a common platform for deploying

objects to a cloud infrastructure and for implementing consistency across the
Azure environment.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Resource groups provide.
• Azure Resource Manager provides.
• Management groups provide.

Explanation (click to expand)

Azure Resource Manager is the deployment and management service for Azure. It provides a
consistent management layer that enables you to create, update, and delete resources in your
Azure subscription. You can use its access control, auditing, and tagging features to secure
and organize your resources after deployment.

When you take actions through the portal, PowerShell, Azure CLI, REST APIs, or client
SDKs, the Azure Resource Manager API handles your request. Because all requests are
handled through the same API, you see consistent results and capabilities in all the different
tools. All capabilities that are available in the portal are also available through PowerShell,
Azure CLI, REST APIs, and client SDKs.

References (click to expand)

Azure Resource Manager overview

Azure Resource Manager

 Question 11
Your company has several business units.

Each business unit requires 20 different Azure resources for daily operation.
All the business units require the same type of Azure resources.

You need to recommend a solution to automate the creation of the Azure

resources.

What should you include in the recommendations?

Answers
• Azure Resource Manager templates.
• Virtual machine scale sets.
• The Azure API Management service.
• Management groups.

Explanation (click to expand)

Azure Resource Manager Template defines the resources you need to deploy for your
solution. First of all, you must know that an Azure Resource Manager Template is a just a
simple JSON file. JSON is an open-standard file format derived from JavaScript. Note that a
JSON file is a collection of name/value pairs.

References (click to expand)

Azure Quickstart Templates

Question 12
Which Azure service should you use to correlate events from multip le
resources into a centralized repository?

Answers
• Azure Event Hubs.
• Azure Analysis Services.
• Azure Monitor.
• Azure Log Analytics.
 Explanation (click to expand)
Log Analytics is a web tool used to write and execute Azure Monitor log queries. Open it by
selecting Logs in the Azure Monitor menu. It starts with a new blank query.

References (click to expand)

Azure Monitor

Question 13
You have an Azure environment. You need to create a new Azure virtual
machine from an Android laptop.

Solution: You use PowerShell in Azure Cloud Shell.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

PowerShell is a task-based command-line shell and scripting language built on .NET.
PowerShell helps system administrators and power-users rapidly automate tasks that manage
operating systems (Linux, macOS, and Windows) and processes.

PowerShell commands let you manage computers from the command line. PowerShell
providers let you access data stores, such as the registry and certificate store, as easily as you
access the file system. PowerShell includes a rich expression parser and a fully developed
scripting language.

References (click to expand)

Quickstart for PowerShell in Azure Cloud Shell

PowerShell Scripting

Question 14
 This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

An Azure region *** CONTAINS ONE OR MORE DATA CENTERS ***

that are connected by using a low-latency network.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Is found in each country where Microsoft has a subsidiary office.
• Can be found in every country in Europe and the Americas only.
• Contains one or more data centers that are connect by using a high-
latency network.

Explanation (click to expand)

Understand Azure global infrastructure:

A region is a set of datacenters deployed within a latency-defined perimeter and connected

through a dedicated regional low-latency network. With more global regions than any other
cloud provider, Azure gives customers the flexibility to deploy applications where they need
to. Azure is generally available in 46 regions around the world, with plans announced for 8
additional regions.

A geography is a discrete market, typically containing two or more regions, that preserves
data residency and compliance boundaries. Geographies allow customers with specific data-
residency and compliance needs to keep their data and applications close. Geographies are
fault-tolerant to withstand complete region failure through their connection to our dedicated
high-capacity networking infrastructure.

Availability Zones are physically separate locations within an Azure region. Each
Availability Zone is made up of one or more datacenters equipped with independent power,
cooling, and networking. Availability Zones allow customers to run mission-critical
applications with high availability and low-latency replication.

References (click to expand)

Azure regions
 Question 15
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

You plan to deploy 20 virtual machines to an Azure environment. To ensure

that a virtual machine named VM1 cannot connect to the other virtual
machines, VM1 must *** BE DEPLOYED TO A SEPARATE VIRTUAL
NETWORK ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Run a different operating system than the other virtual machin es.
• Be deployed to a separate resource group.
• Have two network interfaces.

Explanation (click to expand)

Azure Virtual Network (VNet) is the fundamental building block for your private network in
Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM),
to securely communicate with each other, the internet, and on-premises networks. VNet is
similar to a traditional network that you'd operate in your own data center, but brings with it
additional benefits of Azure's infrastructure such as scale, availability, and isolation.

VNet concepts:

Address space: When creating a VNet, you must specify a custom private IP address space
using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network
a private IP address from the address space that you assign. For example, if you deploy a VM
in a VNet with address space, 10.0.0.0/16, the VM will be assigned a private IP like 10.0.0.4.

Subnets: Subnets enable you to segment the virtual network into one or more sub-networks
and allocate a portion of the virtual network's address space to each subnet. You can then
deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow
you to segment your VNet address space into segments that are appropriate for the
organization's internal network. This also improves address allocation efficiency. You can
secure resources within subnets using Network Security Groups. For more information, see
Security groups.

Regions: VNet is scoped to a single region/location; however, multiple virtual networks from
different regions can be connected together using Virtual Network Peering.
 Subscription: VNet is scoped to a subscription. You can implement multiple virtual networks
within each Azure subscription and Azure region.

References (click to expand)

What is Azure Virtual Network?

Virtual Network Documentation

Question 16
A support engineer plans to perform several Azure management tasks by
using the Azure CLI.

You install the CLI on a computer.

You need to tell the support engineer which tools to use to run the CLI.

Which two tools should you instruct the support engineer to use? Ea ch
correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers
• Command Prompt.
• Azure Resource Explorer.
• Windows PowerShell.
• Windows Defender Firewall.
• Network and Sharing Center.

Explanation (click to expand)

For Windows the Azure CLI is installed via an MSI, which gives you access to the CLI
through the Windows Command Prompt (CMD) or PowerShell. When installing for
Windows Subsystem for Linux (WSL), packages are available for your Linux distribution.

The Azure CLI is a command-line tool providing a great experience for managing Azure
resources. The CLI is designed to make scripting easy, query data, support long-running
operations, and more.

References (click to expand)

 Install Azure CLI on Windows

Get started with Azure CLI

Question 17
You plan to store 20 TB of data in Azure. The data will be accessed
infrequently and visualized by using Microsoft Power BI.

You need to recommend a storage solution for the data.

Which two solutions should you recommend? Each correct answer presents a
complete solution.

NOTE: Each correct selection is worth one point.

Answers
• Azure Data Lake.
• Azure Cosmos DB.
• Azure SQL Data Warehouse.
• Azure SQL Database.
• Azure Database for PostgreSQL.

Explanation (click to expand)

Azure Data Lake includes all the capabilities required to make it easy for developers, data
scientists, and analysts to store data of any size, shape, and speed, and do all types of
processing and analytics across platforms and languages. It removes the complexities of
ingesting and storing all of your data while making it faster to get up and running with batch,
streaming, and interactive analytics. Azure Data Lake works with existing IT investments for
identity, management, and security for simplified data management and governance. It also
integrates seamlessly with operational stores and data warehouses so you can extend current
data applications. We've drawn on the experience of working with enterprise customers and
running some of the largest scale processing and analytics in the world for Microsoft
businesses like Office 365, Xbox Live, Azure, Windows, Bing, and Skype. Azure Data Lake
solves many of the productivity and scalability challenges that prevent you from maximizing
the value of your data assets with a service that's ready to meet your current and future
business needs.

Unlock new insights from your data with Azure SQL Data Warehouse, a fully managed cloud
data warehouse for enterprises of any size that combines lightning-fast query performance
with industry-leading data security. Optimise workloads by elastically scaling your resources
 in minutes. Get unlimited storage, automated administration and built-in auditing and threat
detection. Integrate seamlessly with Azure Active Directory, Azure Data Factory, Azure Data
Lake Storage, Azure Databricks and Microsoft Power BI to provide a single holistic modern
data warehouse solution for all your analytical workloads.

References (click to expand)

SQL Data Warehouse

https://stackify.com/azure-sql-database-vs-warehouse/

Question 18
You have a virtual machine named VM1 that runs Windows Server 2016.
VM1 is in the East US Azure region.

Which Azure service should you use from the Azure portal to view service
failure notifications that can affect the availability of VM1?

Answers
• Azure Service Fabric.
• Azure Monitor.
• Azure virtual machines.
• Azure Advisor.

Explanation (click to expand)

Azure Monitor maximizes the availability and performance of your applications by delivering
a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud
and on-premises environments. It helps you understand how your applications are performing
and proactively identifies issues affecting them and the resources they depend on.

All data collected by Azure Monitor fits into one of two fundamental types, metrics and logs.
Metrics are numerical values that describe some aspect of a system at a particular point in
time. They are lightweight and capable of supporting near real-time scenarios. Logs contain
different kinds of data organized into records with different sets of properties for each type.
Telemetry such as events and traces are stored as logs in addition to performance data so that
it can all be combined for analysis.

References (click to expand)

Azure Monitor overview
 Azure Monitor Documentation

Question 19
An Azure administrator plans to run a PowerShell script that creates Azure
resources.

You need to recommend which computer configuration to use to run the

script.

Solution: Run the script from a computer that runs Linux and has the Azure
CLI tools installed.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

Install Azure CLI on Linux manually

If there's no package for the Azure CLI for your distribution, install the CLI manually by
running a script.

References (click to expand)

Question 20
You have an Azure environment that contains 10 virtual networks and 100
virtual machines.

You need to limit the amount of inbound traffic to all the Azure virtual
networks.

What should you create?

Answers
• One network security group (NSG).
• 10 virtual network gateways.
• 10 Azure ExpressRoute circuits.
• One Azure firewall.

Explanation (click to expand)

Azure Firewall: Cloud-native network security to protect your Azure Virtual Network
resources

References (click to expand)

Azure Firewall

Azure Firewall Documentation

Question 21
You have an Azure environment that contains multiple Azure virtual
machines.

You plan to implement a solution that enables the client computers on your
on-premises network to communicate to the Azure virtual machines.

You need to recommend which Azure resources must be created for the
planned solution.

Which two Azure resources should you include in the recommendation?

Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Answers
• A virtual network gateway.
• A load balancer.
• An application gateway.
• A virtual network.
• A gateway subnet.

Explanation (click to expand)

 A VPN gateway is a specific type of virtual network gateway that is used to send encrypted
traffic between an Azure virtual network and an on-premises location over the public
Internet. You can also use a VPN gateway to send encrypted traffic between Azure virtual
networks over the Microsoft network. Each virtual network can have only one VPN gateway.
However, you can create multiple connections to the same VPN gateway. When you create
multiple connections to the same VPN gateway, all VPN tunnels share the available gateway
bandwidth.

A virtual network gateway is composed of two or more virtual machines that are deployed to
a specific subnet you create, which is called the gateway subnet. The VMs that are located in
the gateway subnet are created when you create the virtual network gateway. Virtual network
gateway VMs are configured to contain routing tables and gateway services specific to the
gateway. You can't directly configure the VMs that are part of the virtual network gateway
and you should never deploy additional resources to the gateway subnet.

VPN gateways can be deployed in Azure Availability Zones. This brings resiliency,
scalability, and higher availability to virtual network gateways. Deploying gateways in Azure
Availability Zones physically and logically separates gateways within a region, while
protecting your on-premises network connectivity to Azure from zone-level failures.

References (click to expand)

Connect an on-premises network to a Microsoft Azure virtual network

What is VPN Gateway?

Question 22
Your company plans to move several servers to Azure.

The company's compliance policy states that a server named FinServer must
be on a separate network segment.

You are evaluating which Azure services can be used to meet the compliance
policy requirements.

Which Azure solution should you recommend?

Answers
• A resource group for FinServer and another resource group for all
the other servers.
• A virtual network for FinServer and another virtual network for all
the other servers.
• A VPN for FinServer and a virtual network gateway for each other
server.
• One resource group for all the servers and a resource lock for
FinServer.

Explanation (click to expand)

Azure virtual networks are similar to LANs on your on-premises network. The idea behind an
Azure virtual network is that you create a network, based on a single private IP address space,
on which you can place all your Azure virtual machines. The private IP address spaces
available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C
(192.168.0.0/16) ranges.

Best practice: Create network access controls between subnets. Routing between subnets
happens automatically, and you don't need to manually configure routing tables. By default,
there are no network access controls between the subnets that you create on an Azure virtual
network.

Detail: Use a network security group to protect against unsolicited traffic into Azure subnets.
Network security groups are simple, stateful packet inspection devices that use the 5-tuple
approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to
create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP
address, to and from multiple IP addresses, or to and from entire subnets.

When you use network security groups for network access control between subnets, you can
put resources that belong to the same security zone or role in their own subnets.

References (click to expand)

Plan virtual networks

Azure best practices for network security

Question 23
Your company has an Azure environment that contains resources in several
regions.

A company policy states that administrators must only be allowed to create

additional Azure resources in a region in the country where their office is
located.

You need to create the Azure resource that must be used to meet the pol icy
requirement.
 What should you create?

Answers
• A read-only lock.
• An Azure policy.
• A management group.
• A reservation.

Explanation (click to expand)

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These
policies enforce different rules and effects over your resources, so those resources stay
compliant with your corporate standards and service level agreements. Azure Policy meets
this need by evaluating your resources for non-compliance with assigned policies. For
example, you can have a policy to allow only a certain SKU size of virtual machines in your
environment. Once this policy is implemented, new and existing resources are evaluated for
compliance. With the right type of policy, existing resources can be brought into compliance.

There are a few key differences between Azure Policy and role-based access control (RBAC).
RBAC focuses on user actions at different scopes. You might be added to the contributor role
for a resource group, allowing you to make changes to that resource group. Azure Policy
focuses on resource properties during deployment and for already existing resources. Azure
Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure
Policy is a default allow and explicit deny system.

References (click to expand)

Overview of the Azure Policy service

Documentation for the Azure Policy service

Question 24
You need to configure an Azure solution that meets the following
requirements:.

Secures websites from attacks.

Generates reports that contain details of attempted attacks.

What should you include in the solution?

Answers
• Azure Firewall.
• A network security group (NSG).
• Azure Information Protection.
• DDoS protection.

Explanation (click to expand)

Distributed denial of service (DDoS) attacks are some of the largest availability and security
concerns facing customers that are moving their applications to the cloud. A DDoS attack
attempts to exhaust an application's resources, making the application unavailable to
legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable
through the internet.

Product features:

Always-on monitoring and automatic network attack mitigation

Adaptive tuning based on platform insights in Azure

Application layer protection with Azure Application Gateway Web Application Firewall

Integration with Azure Monitor for analytics and insights

Protection against the unforeseen costs of a DDoS attack

References (click to expand)

Azure DDoS Protection

Azure DDoS Protection Standard overview

Question 25
Your company plans to migrate all on-premises data to Azure. You need to
identify whether Azure complies with the company's regional requirements.

What should you use?

Answers
• The Knowledge Center.
• Azure Marketplace.
• The Azure portal.
• The Trust Center.

Explanation (click to expand)

The Azure Security Information site on Azure.com gives you the information you need to
plan, design, deploy, configure, and manage your cloud solutions securely. With the
Microsoft Trust center, you also have the information you need to be confident that the Azure
platform on which you run your services is secure.

Compliance: Microsoft helps organizations comply with national, regional, and industry-
specific requirements governing the collection and use of individuals' data.

References (click to expand)

Microsoft Trust Center

Microsoft Trust Center Home

Question 26
Your company plans to automate the deployment of servers to Azure.

Your manager is concerned that you may expose administrative credentials

during the deployment.

You need to recommend an Azure solution that encrypts the administrative

credentials during the deployment.

What should you include in the recommendation?

Answers
• Azure Key Vault.
• Azure Information Protection.
• Azure Security Center.
• Azure Multi-Factor Authentication (MFA).

Explanation (click to expand)

Azure Key Vault helps solve the following problems:
 Secrets Management - Azure Key Vault can be used to Securely store and tightly control
access to tokens, passwords, certificates, API keys, and other secrets.

Key Management - Azure Key Vault can also be used as a Key Management solution. Azure
Key Vault makes it easy to create and control the encryption keys used to encrypt your data.

Certificate Management - Azure Key Vault is also a service that lets you easily provision,
manage, and deploy public and private Secure Sockets Layer/Transport Layer Security
(SSL/TLS) certificates for use with Azure and your internal connected resources.

Store secrets backed by Hardware Security Modules - The secrets and keys can be protected
either by software or FIPS 140-2 Level 2 validates HSMs

References (click to expand)

Key Vault

What is Azure Key Vault?

Question 27
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

If a resource group named RG1 has a delete lock, *** ONLY A MEMBER
OF THE GLOBAL ADMINISTRATORS GROUP *** can delete RG1.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• The delete lock must be removed before an administrator.
• An Azure policy must be modified before an administrator.
• An Azure tag must be added before an administrator.

Explanation (click to expand)

Lock resources to prevent unexpected changes!
 As an administrator, you may need to lock a subscription, resource group, or resource to
prevent other users in your organization from accidentally deleting or modifying critical
resources. You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks
are called Delete and Read-only respectively.

CanNotDelete means authorized users can still read and modify a resource, but they can't
delete the resource.

ReadOnly means authorized users can read a resource, but they can't delete or update the
resource. Applying this lock is similar to restricting all authorized users to the permissions
granted by the Reader role.

References (click to expand)

How to Lock Azure Resources to Prevent Modification or Deletion

Lock resources

Question 28
Which two types of customers are eligible to use Azure Government to
develop a cloud solution? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers
• A Canadian government contractor.
• A European government contractor.
• A United States government entity.
• A United States government contractor.
• A European government entity.

Explanation (click to expand)

Microsoft Azure Government delivers a cloud platform built upon the foundational principles
of security, privacy and control, compliance, and transparency. Public Sector entities receive
a physically isolated instance of Microsoft Azure that employs world-class security and
compliance services critical to U.S. government for all systems and applications built on its
architecture.

US government agencies or their partners interested in cloud services that meet government
security and compliance requirements, can be confident that Microsoft Azure Government
provides world-class security, protection, and compliance services. Azure Government
delivers a dedicated cloud enabling government agencies and their partners to transform
 mission-critical workloads to the cloud. Azure Government services handle data that is
subject to certain government regulations and requirements, such as FedRAMP, NIST
800.171 (DIB), ITAR, IRS 1075, DoD L4, and CJIS. In order to provide you with the highest
level of security and compliance, Azure Government uses physically isolated datacenters and
networks (located in U.S. only).

Azure Government customers (US federal, state, and local government or their partners) are
subject to validation of eligibility. If there is a question about eligibility for Azure
Government, you should consult your account team.

References (click to expand)

Azure Government Documentation

What is Azure Government?

Question 29
You need to ensure that when Azure Active Directory (Azure AD) users
connect to Azure AD from the Internet by using an anonymous IP address,
the users are prompted automatically to change their password.

Which Azure service should you use?

Answers
• Azure AD Connect Health.
• Azure AD Privileged Identity Management.
• Azure Advanced Threat Protection (ATP).
• Azure AD Identity Protection.

Explanation (click to expand)

Azure Active Directory Identity Protection enables organizations to configure automated
responses to detected suspicious actions related to user identities.

Microsoft has secured cloud-based identities for more than a decade. With Azure Active
Directory Identity Protection, in your environment, you can use the same protection systems
Microsoft uses to secure identities.

References (click to expand)

What is Azure Active Directory Identity Protection?
 How To: Configure the sign-in risk policy

Question 30
To what should an application connect to retrieve security tokens?

Answers
• An Azure Storage account.
• Azure Active Directory (Azure AD).
• A certificate store.
• An Azure key vault.

Explanation (click to expand)

Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD)
developer platform. It allows developers to build applications that sign in all Microsoft
identities and get tokens to call Microsoft APIs such as Microsoft Graph or APIs that
developers have built. It's a full-featured platform that consists of an OAuth 2.0 and OpenID
Connect standard-compliant authentication service, open-source libraries, application
registration and configuration, robust conceptual and reference documentation, quickstart
samples, code samples, tutorials, and how-to guides.

References (click to expand)

Microsoft identity platform (formerly Azure Active Directory for developers)

Question 31
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

*** RESOURCE GROUPS *** provide organizations with the ability to

manage the compliance of Azure resources across multiple subscriptions.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Management groups.
• Azure policies.
• Azure App Service plans.

Explanation (click to expand)

Azure Policy is a service in Azure that you use to create, assign, and manage policies. These
policies enforce different rules and effects over your resources, so those resources stay
compliant with your corporate standards and service level agreements. Azure Policy meets
this need by evaluating your resources for non-compliance with assigned policies. For
example, you can have a policy to allow only a certain SKU size of virtual machines in your
environment. Once this policy is implemented, new and existing resources are evaluated for
compliance. With the right type of policy, existing resources can be brought into compliance.

There are a few key differences between Azure Policy and role-based access control (RBAC).
RBAC focuses on user actions at different scopes. You might be added to the contributor role
for a resource group, allowing you to make changes to that resource group. Azure Policy
focuses on resource properties during deployment and for already existing resources. Azure
Policy controls properties such as the types or locations of resources. Unlike RBAC, Azure
Policy is a default allow and explicit deny system.

References (click to expand)

Overview of the Azure Policy service

Tutorial: Create and manage policies to enforce compliance

Question 32
Your network contains an Active Directory forest. The forest contains 5,000
user accounts.

Your company plans to migrate all network resources to Azure and to

decommission the on-premises data center.

You need to recommend a solution to minimize the impact on users after the
planned migration.

What should you recommend?

Answers
• Implement Azure Multi-Factor Authentication (MFA).
• Sync all the Active Directory user accounts to Azure Active
Directory (Azure AD).
• Instruct all users to change their password.
• Create a guest user account in Azure Active Directory (Azure AD)
for each user.

Explanation (click to expand)

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access
management service, which helps your employees sign in and access resources in:

External resources, such as Microsoft Office 365, the Azure portal, and thousands of other
SaaS applications.

Internal resources, such as apps on your corporate network and intranet, along with any cloud
apps developed by your own organization.

References (click to expand)

How to Sync On-premise AD with Windows Azure AD using Azure AD Connect tool

Step-By-Step: Syncing An On Premise AD with Azure Active Directory

Question 33
Which Azure service should you use to store certificates?

Answers
• Azure Security Center.
• An Azure Storage account.
• Azure Key Vault.
• Azure Information Protection.

Explanation (click to expand)

Azure Key Vault enables Microsoft Azure applications and users to store and use several
types of secret/key data:

Cryptographic keys: Supports multiple key types and algorithms, and enables the use of
Hardware Security Modules (HSM) for high value keys.
 Secrets: Provides secure storage of secrets, such as passwords and database connection
strings.

Certificates: Supports certificates, which are built on top of keys and secrets and add an
automated renewal feature.

Azure Storage: Can manage keys of an Azure Storage account for you. Internally, Key Vault
can list (sync) keys with an Azure Storage Account, and regenerate (rotate) the keys
periodically.

References (click to expand)

About keys, secrets, and certificates

What is Azure Key Vault?

Question 34
What can Azure Information Protection encrypt?

Answers
• Network traffic.
• Documents and email messages.
• An Azure Storage account.
• An Azure SQL database.

Explanation (click to expand)

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that
helps an organization to classify and optionally, protect its documents and emails by applying
labels. Labels can be applied automatically by administrators who define rules and
conditions, manually by users, or a combination where users are given recommendations.

After your content is classified (and optionally protected), you can then track and control how
it is used. You can analyze data flows to gain insight into your business, detect risky
behaviors and take corrective measures, track access to documents, prevent data leakage or
misuse, and so on.

References (click to expand)

What is Azure Information Protection?

Compliance and supporting information for Azure Information Protection

 Quickstart: Configure a label for users to easily protect emails that contain sensitive
information

Question 35
What should you use to evaluate whether your company's Azure
environment meets regulatory requirements?

Answers
• The Knowledge Center website.
• The Advisor blade from the Azure portal.
• Compliance Manager from the Security Trust Portal.
• The Security Center blade from the Azure portal.

Explanation (click to expand)

Azure Security Center helps you prevent, detect, and respond to threats with increased
visibility into and control over the security of your Azure resources. It provides integrated
security monitoring and policy management across your subscriptions, helps detect threats
that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Azure Security Center is enabled with your Microsoft Azure subscription and accessed from
the Azure portal. (Sign in to the portal, select Browse, and scroll to Security Center).

References (click to expand)

Azure Security Center frequently asked questions (FAQ)

Regulatory compliance dashboard in Azure Security Center now available

Question 36
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

Your company implements *** AZURE POLICIES *** to automatically add

a watermark to Microsoft Word documents that contain credit card
information.
 Instructions: Review the UPPER-CASED text surrounded by ***. If it makes
the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• DDoS protection.
• Azure Information Protection.
• Azure Active Directory (Azure AD) Identity Protection.

Explanation (click to expand)

An Azure Information Protection policy contains the following elements that you can
configure:

* Which labels are included that let administrators and users classify (and optionally, protect)
documents and emails.

* Title and tooltip for the Information Protection bar that users see in their Office
applications.

* The option to set a default label as a starting point for classifying documents and emails.

* The option to enforce classification when users save documents and send emails.

* The option to prompt users to provide a reason when they select a label that has a lower
sensitivity level than the original.

* The option to automatically label an email message, based on its attachments.

* The option to control whether the Information Protection bar is displayed in Office
applications.

* The option to control whether the Do Not Forward button is displayed in Outlook.

* The option to let users specify their own permissions for documents.

* The option to provide a custom help link for users.

References (click to expand)

Configuring visual markings in Azure Information Protection

Tutorial: Configure Azure Information Protection policy settings and create a new label
 Question 37
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

From *** AZURE MONITOR ***, you can view which user turned off a
specific virtual machine during the last 14 days.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Azure Event Hubs.
• Azure Activity Log.
• Azure Service Health.

Explanation (click to expand)

The Azure Activity Log provides insight into subscription-level events that have occurred in
Azure. This includes a range of data, from Azure Resource Manager operational data to
updates on Service Health events. The Activity Log was previously known as Audit Logs or
Operational Logs, since the Administrative category reports control-plane events for your
subscriptions.

Use the Activity Log, to determine the what, who, and when for any write operations (PUT,
POST, DELETE) taken on the resources in your subscription. You can also understand the
status of the operation and other relevant properties.

The Activity Log does not include read (GET) operations or operations for resources that use
the Classic/RDFE model.

There is a single Activity Log for each Azure subscription. It provides data about the
operations on a resource from the outside (the "control plane"). Diagnostic Logs are emitted
by a resource and provide information about the operation of that resource (the "data plane").
You must enable diagnostic settings for each resource.

References (click to expand)

Overview of Azure Activity log

View activity logs to monitor actions on resources

 Question 38
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

You have an Azure virtual network named VNET1 in a resource group

named RG1.

You assign an Azure policy specifying that virtual networks are not an
allowed resource type in RG1. VNET1 *** IS DELETED
AUTOMATICALLY ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Is moved automatically to another resource group.
• Continues to function normally.
• Is now a read-only object.

Explanation (click to expand)

The journey of creating and implementing a policy in Azure Policy begins with creating a
policy definition. Every policy definition has conditions under which it's enforced. And, it
has a defined effect that takes place if the conditions are met.

In Azure Policy, we offer several built-in policies that are available by default. For example:

Allowed Resource Type: Defines the resource types that you can deploy. Its effect is to deny
all resources that aren't part of this defined list.

Not allowed resource types: Prevents a list of resource types from being deployed.

References (click to expand)

Sample - Not allowed resource types

Overview of the Azure Policy service

 Question 39
Your company plans to purchase Azure.

The company's support policy states that the Azure environment must
provide an option to access support engineers by phone or email.

You need to recommend which support plan meets the support policy
requirement.

Solution: Recommend a Basic support plan.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

BASIC: No Technical Support.

DEVELOPER: Business hours access1 to Support Engineers via email

STANDARD, PROFESSIONAL DIRECT, PREMIER: 24x7 access to Support Engineers via

email and phone

References (click to expand)

Compare support plans

Question 40
What is required to use Azure Cost Management?

Answers
• A Dev/Test subscription.
• Software Assurance.
• An Enterprise Agreement (EA).
• A pay-as-you-go subscription.
 Explanation (click to expand)
As enterprises accelerate cloud adoption, it is becoming increasingly important to manage
cloud costs across the organization. Last September, we announced the public preview of a
comprehensive native cost management solution for enterprise customers. We are now
excited to announce the general availability (GA) of Azure Cost Management experience that
helps organizations visualize, manage, and optimize costs across Azure.

In addition, we are excited to announce the public preview for web direct Pay-As-You-Go
customers and Azure Government cloud.

With the addition of the Azure Cost Management, customers now have an always-on, low-
latency solution to understand and visualize costs with the following features available in
Cost Management:

References (click to expand)

Azure Cost Management now generally available for enterprise agreements and more!

What is Azure Cost Management?

Question 41
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

Your Azure trial account expired last week. You are now unable to ***
CREATE ADDITIONAL AZURE ACTIVE DIRECTORY (AZURE AD)
USER ACCOUNTS ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Start an existing Azure virtual machine.
• Access your data stored in Azure.
• Access the Azure portal.

Explanation (click to expand)

 Your credit is expired:

When you sign up for an Azure free account, you get a Free Trial subscription, which
provides you $200 in Azure credits for 30 days and 12 months of free services. At the end of
30 days, Azure disables your subscription. Your subscription is disabled to protect you from
accidentally incurring charges for usage beyond the credit and free services included with
your subscription. To continue using Azure services, you must upgrade your subscription.
After you upgrade, your subscription still has access to free services for 12 months. You only
get charged for usage beyond the free services and quantities.

You reached your spending limit:

Azure subscriptions with credit such as Free Trial and Visual Studio Enterprise have
spending limits on them. This means you can only use services up to the included credit.
When your usage reaches the spending limit, Azure disables your subscription for the
remainder of that billing period. Your subscription is disabled to protect you from
accidentally incurring charges for usage beyond the credit included with your subscription.
To remove your spending limit, see Remove the spending limit in Account Center.

References (click to expand)

Azure free account FAQ

Reactivate a disabled Azure subscription

Question 42
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

You have several virtual machines in an Azure subscription. You create a

new subscription. *** THE VIRTUAL MACHINES CANNOT BE MOVED
TO THE NEW SUBSCRIPTION ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• The virtual machines can be moved to the new subscription.
• The virtual machines can be moved to the new subscription only if
they are all in the same resource group.
• The virtual machines can be moved to the new subscription only if
they run Windows Server 2016.

Explanation (click to expand)

Moving between subscriptions can be handy if you originally created a VM in a personal
subscription and now want to move it to your company's subscription to continue your work.
You do not need to start the VM in order to move it and it should continue to run during the
move.

New resource IDs are created as part of the move. After the VM has been moved, you will
need to update your tools and scripts to use the new resource IDs.

References (click to expand)

Move a Windows VM to another Azure subscription or resource group

Question 43
You attempt to create several managed Microsoft SQL Server instances in an
Azure environment and receive a message that you must increase your Azure
Subscription Limits.

What should you do to increase the limits?

Answers
• Create a service health alert.
• Upgrade your support plan.
• Modify an Azure policy.
• Create a new support request.

Explanation (click to expand)

If you want to raise the limit or quota above the default limit, open an online customer
support request at no charge.

Free Trial subscriptions aren't eligible for limit or quota increases. If you have a Free Trial
subscription, you can upgrade to a Pay-As-You-Go subscription. For more information, see
Upgrade your Azure Free Trial subscription to a Pay-As-You-Go subscription and the Free
Trial subscription FAQ.
 Quotas for resources in Azure resource groups are per-region accessible by your subscription,
not per-subscription as the service management quotas are. Let's use vCPU quotas as an
example. To request a quota increase with support for vCPUs, you must decide how many
vCPUs you want to use in which regions. You then make a specific request for Azure
resource group vCPU quotas for the amounts and regions that you want. If you need to use 30
vCPUs in West Europe to run your application there, you specifically request 30 vCPUs in
West Europe. Your vCPU quota isn't increased in any other region--only West Europe has the
30-vCPU quota.

As a result, decide what your Azure resource group quotas must be for your workload in any
one region. Then request that amount in each region into which you want to deploy. For help
in how to determine your current quotas for specific regions, see Troubleshoot deployment
issues.

References (click to expand)

Azure subscription and service limits, quotas, and constraints

Question 44
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

You deploy an Azure resource. The resource becomes unavailable for an

extended period due to a service outage. Microsoft will ***
AUTOMATICALLY REFUND YOUR BANK ACCOUNT***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Automatically migrate the resource to another subscription.
• Automatically credit your account.
• Send you a coupon code that you can redeem for Azure credits.

Explanation (click to expand)

If we do not achieve and maintain the Service Levels for each Service as described in this
SLA, then you may be eligible for a credit towards a portion of your monthly service fees.
We will not modify the terms of your SLA during the initial term of your subscription;
however, if you renew your subscription, the version of this SLA that is current at the time of
 renewal will apply throughout your renewal term. We will provide at least 90 days' notice for
adverse material changes to this SLA.

References (click to expand)

SLA for App Service

Question 45
Your company plans to migrate to Azure. The company has several
departments. All the Azure resources used by each department will be
managed by a department administrator.

You need to recommend an Azure deployment that provides the ability to

segment Azure for the departments. The solution must minimize
administrative effort.

What should you include in the recommendation?

Answers
• Multiple subscriptions.
• Multiple Azure Active Directory (Azure AD) directories.
• Multiple regions.
• Multiple resource groups.

Explanation (click to expand)

A subscription is an agreement with Microsoft to use one or more Microsoft cloud platforms
or services, for which charges accrue based on either a per-user license fee or on cloud-based
resource consumption. Microsoft's Software as a Service (SaaS)-based cloud offerings
(Office 365, Intune/EMS, and Dynamics 365) charge per-user license fees. Microsoft's
Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) cloud offerings (Azure)
charge based on cloud resource consumption.

You can also use a trial subscription, but the subscription expires after a specific amount of
time or consumption charges. You can convert a trial subscription to a paid subscription.

References (click to expand)

Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings
 Question 46
Your company has an Azure subscription that contains the following unused
resources:

20 user accounts in Azure Active Directory (Azure AD).

Five groups in Azure AD.

10 public IP addresses.

10 network interfaces.

You need to reduce the Azure costs for the company.

Solution: You remove the unused network interfaces.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

When creating a virtual machine using the Azure portal, the portal creates a network interface
with default settings for you. If you'd rather specify all your network interface settings, you
can create a network interface with custom settings and attach the network interface to a
virtual machine when creating the virtual machine (using PowerShell or the Azure CLI). You
can also create a network interface and add it to an existing virtual machine (using
PowerShell or the Azure CLI). To learn how to create a virtual machine with an existing
network interface or to add to, or remove network interfaces from existing virtual machines,
see Add or remove network interfaces. Before creating a network interface, you must have an
existing virtual network in the same location and subscription you create a network interface
in.

References (click to expand)

Reduce costs by deleting or reconfiguring idle virtual network gateways

Question 47
 This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

When you need to delegate permissions to several Azure virtual machines

simultaneously, you must deploy the Azure virtual machines *** TO THE
SAME AZURE REGION ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• By using the same Azure Resource Manager template.
• To the same resource group.
• To the same availability zone.

Explanation (click to expand)

Access management for cloud resources is a critical function for any organization that is
using the cloud. Role-based access control (RBAC) helps you manage who has access to
Azure resources, what they can do with those resources, and what areas they have access to.

Here are some examples of what you can do with RBAC:

* Allow one user to manage virtual machines in a subscription and another user to manage
virtual networks.

* Allow a DBA group to manage SQL databases in a subscription

* Allow a user to manage all resources in a resource group, such as virtual machines,
websites, and subnets

* Allow an application to access all resources in a resource group

References (click to expand)

Manage access to Azure resources using RBAC and the Azure portal

What is role-based access control (RBAC) for Azure resources?

Question 48
 This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

One of the benefits of Azure SQL Data Warehouse is that *** HIGH
AVAILABILITY *** is built into the platform.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Automatic scaling.
• Data compression.
• Versioning.

Explanation (click to expand)

SQL Data Warehouse is supported by a broad ecosystem of partners, including data
preparation, ingestion service and visualisation tool providers. Enjoy guaranteed 99.9 percent
availability in 40 Azure regions worldwide.

Service capabilities:

* Massive query concurrency - Democratise data across your enterprise.

* Integrated data processing - Ingest and query from multiple data types and sources within a
single solution.

* Quick and easy provisioning - Provision thousands of compute cores in less than five
minutes and scale to a petabyte in hours.

* Elastic design - Independently scale for performance or memory with separate compute and
storage.

* Advanced security - Help protect your data with virtual network service endpoints,
advanced threat detection, always-on encryption, auditing and simplified secure access.

* Fully managed infrastructure - Automate infrastructure allocation and workload

optimisation to focus on data analysis and use the built-in advisor to optimise your cloud data
warehouse.

* Strong Ecosystem - Integrate with leading data preparation and visualisation vendors and
get support from our partners to accelerate time to value.
 * Powerful SQL engine - Take advantage of Microsoft SQL Server, the industry's top-
performing SQL engine, offering comprehensive support for SQL language.

* Industry-leading compliance - Help ensure peace of mind with more than 50 government
and industry compliance certifications, including HIPAA.

* Global availability - Benefit from availability in 40 Azure regions, the most among all
cloud-based data warehouse providers.

References (click to expand)

SQL Data Warehouse

Compare Azure SQL Database vs. Azure SQL Data Warehouse: Definitions, Differences and
When to Use

Question 49
You need to identify the type of failure for which an Azure availability zone
can be used to protect access to Azure services.

What should you identify?

Answers
• A physical server failure.
• An Azure region failure.
• A storage failure.
• An Azure data center failure.

Explanation (click to expand)

Availability Zones is a high-availability offering that protects your applications and data from
datacenter failures. Availability Zones are unique physical locations within an Azure region.
Each zone is made up of one or more datacenters equipped with independent power, cooling,
and networking. To ensure resiliency, there's a minimum of three separate zones in all
enabled regions. The physical separation of Availability Zones within a region protects
applications and data from datacenter failures. Zone-redundant services replicate your
applications and data across Availability Zones to protect from single-points-of-failure. With
Availability Zones, Azure offers industry best 99.99% VM uptime SLA. The full Azure SLA
explains the guaranteed availability of Azure as a whole.

An Availability Zone in an Azure region is a combination of a fault domain and an update

domain. For example, if you create three or more VMs across three zones in an Azure region,
 your VMs are effectively distributed across three fault domains and three update domains.
The Azure platform recognizes this distribution across update domains to make sure that
VMs in different zones are not updated at the same time.

Build high-availability into your application architecture by co-locating your compute,

storage, networking, and data resources within a zone and replicating in other zones. Azure
services that support Availability Zones fall into two categories:

Zonal services – you pin the resource to a specific zone (for example, virtual machines,
managed disks, Standard IP addresses), or

Zone-redundant services – platform replicates automatically across zones (for example, zone-
redundant storage, SQL Database).

References (click to expand)

What are Availability Zones in Azure?

Question 50
Your Azure environment contains multiple Azure virtual machines.

You need to ensure that a virtual machine named VM1 is accessible from the
Internet over HTTP.

Solution: You modify a DDoS protection plan.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a
network filter on a subnet or a VM network interface. You place these filters, which control
both inbound and outbound traffic, on a network security group attached to the resource that
receives the traffic.

The example in this article demonstrates how to create a network filter that uses the standard
TCP port 80 (it's assumed you've already started the appropriate services and opened any OS
firewall rules on the VM).
 After you've created a VM that's configured to serve web requests on the standard TCP port
80, you can:

1. Create a network security group.

2. Create an inbound security rule allowing traffic and assign values to the following settings:

a. Destination port ranges: 80.

b. Source port ranges: * (allows any source port).

c. Priority value: Enter a value that is less than 65,500 and higher in priority than the default
catch-all deny inbound rule.

Associate the network security group with the VM network interface or subnet.

References (click to expand)

How to open ports to a virtual machine with the Azure portal

Tutorial: Deploy and configure Azure Firewall using the Azure portal

Question 51
Your company plans to deploy several web servers and several database
servers to Azure.

You need to recommend an Azure solution to limit the types of connections

from the web servers to the database servers.

What should you include in the recommendation?

Answers
• Network security groups (NSGs).
• Azure Service Bus.
• A local network gateway.
• A route filter.

Explanation (click to expand)

You can filter network traffic to and from Azure resources in an Azure virtual network with a
network security group. A network security group contains security rules that allow or deny
inbound network traffic to, or outbound network traffic from, several types of Azure
 resources. To learn about which Azure resources can be deployed into a virtual network and
have network security groups associated to them, see Virtual network integration for Azure
services. For each rule, you can specify source and destination, port, and protocol.

Network security group security rules are evaluated by priority using the 5-tuple information
(source, source port, destination, destination port, and protocol) to allow or deny the traffic. A
flow record is created for existing connections. Communication is allowed or denied based on
the connection state of the flow record. The flow record allows a network security group to
be stateful. If you specify an outbound security rule to any address over port 80, for example,
it's not necessary to specify an inbound security rule for the response to the outbound traffic.
You only need to specify an inbound security rule if communication is initiated externally.
The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify
an outbound security rule to respond to traffic over the port. Existing connections may not be
interrupted when you remove a security rule that enabled the flow. Traffic flows are
interrupted when connections are stopped and no traffic is flowing in either direction, for at
least a few minutes.

References (click to expand)

Security groups

Question 52
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

*** AUTHORIZATION *** is the process of verifying a user's credentials.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Authentication.
• Federation.
• Ticketing.

Explanation (click to expand)

Authentication is the process of determining whether someone or something is, in fact, who
or what it declares itself to be. Authentication technology provides access control for systems
by checking to see if a user's credentials match the credentials in a database of authorized
users or in a data authentication server.
 Users are usually identified with a user ID, and authentication is accomplished when the user
provides a credential, for example a password, that matches with that user ID. Most users are
most familiar with using a password, which, as a piece of information that should be known
only to the user, is called a knowledge authentication factor.

Authorization is a security mechanism used to determine user/client privileges or access

levels related to system resources, including computer programs, files, services, data and
application features. Authorization is normally preceded by authentication for user identity
verification. System administrators (SA) are typically assigned permission levels covering all
system and user resources.

During authorization, a system verifies an authenticated user's access rules and either grants
or refuses resource access.

References (click to expand)

Authentication and authorization in Azure App Service

Question 53
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

Azure Germany can be used by *** LEGAL RESIDENTS OF GERMANY

ONLY ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Only enterprises that are registered in Germany.
• Only enterprises that purchase their azure licenses from a partner
based in Germany.
• Any user or enterprise that requires its data to reside in Germany.

Explanation (click to expand)

Microsoft Azure Germany delivers a cloud platform built on the foundational principles of
security, privacy, compliance, and transparency. Azure Germany is a physically isolated
instance of Microsoft Azure. It uses world-class security and compliance services that are
 critical to German data privacy regulations for all systems and applications built on its
architecture. Operated by a data trustee, Azure Germany supports multiple hybrid scenarios
for building and deploying solutions on-premises or in the cloud. You can also take
advantage of the instant scalability and guaranteed uptime of a hyperscale cloud service.

Azure Germany includes the core components of infrastructure as a service (IaaS), platform
as a service (PaaS), and software as a service (SaaS). These components include
infrastructure, network, storage, data management, identity management, and many other
services.

Azure Germany supports most of the same great features that global Azure customers have
used, like geosynchronous data replication and autoscaling.

References (click to expand)

Welcome to Azure Germany

Question 54
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

An organization that hosts its infrastructure *** IN A PRIVATE CLOUD

*** can decommission its data center.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• In a hybrid cloud.
• In the public cloud.
• On a Hyper-V host.

Explanation (click to expand)

After a workload is promoted to production, the assets that previously hosted the production
workload are no longer required to support business operations. At that point, the older assets
are considered retired. Retired assets can then be decommissioned, reducing operational
costs. Decommissioning a resource can be as simple as turning off the power to the asset and
disposing of the asset responsibly. Unfortunately, decommissioning resources can sometimes
 have undesired consequences. The following guidance can aid in properly decommissioning
retired resources, with minimal business interruptions.

References (click to expand)

Decommission retired assets

Question 55
When you are implementing a software as a service (SaaS) solution, you are
responsible for *** CONFIGURING HIGH AVAILABILITY ***.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Defining scalability rules.
• Installing the SaaS solution.
• Configuring the SaaS solution.

Explanation (click to expand)

Software as a service (SaaS) allows users to connect to and use cloud-based apps over the
Internet. Common examples are email, calendaring, and office tools (such as Microsoft
Office 365).

SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from
a cloud service provider. You rent the use of an app for your organization, and your users
connect to it over the Internet, usually with a web browser. All of the underlying
infrastructure, middleware, app software, and app data are located in the service provider's
data center. The service provider manages the hardware and software, and with the
appropriate service agreement, will ensure the availability and the security of the app and
your data as well. SaaS allows your organization to get quickly up and running with an app at
minimal upfront cost.

References (click to expand)

What is SaaS?
 Question 56
You have an on-premises network that contains several servers.

You plan to migrate all the servers to Azure.

You need to recommend a solution to ensure that some of the servers are
available if a single Azure data center goes offline for an extended period.

What should you include in the recommendation?

Answers
• Fault tolerance.
• Elasticity.
• Scalability.
• Low latency.

Explanation (click to expand)

A High Availability system is one that is designed to be available 99.999% of the time, or as
close to it as possible. Usually this means configuring a failover system that can handle the
same workloads as the primary system.

A Fault Tolerant system is extremely similar to HA, but goes one step further by
guaranteeing zero downtime. HA still comes with a small portion of downtime, hence the
ideal of a perfect HA strategy reaching “five nines” rather than 100% uptime. The time it
takes for the intermediary layer, like the load balancer or hypervisor, to detect a problem and
restart the VM can add up to minutes or even hours over the course of yearly runtime.

Disaster Recovery goes beyond FT or HA and consists of a complete plan to recover critical
business systems and normal operations in the event of a catastrophic disaster like a major
weather event (hurricane, flood, tornado, etc), a cyberattack, or any other cause of significant
downtime. HA is often a major component of DR, which can also consist of an entirely
separate physical infrastructure site with a 1:1 replacement for every critical infrastructure
component, or at least as many as required to restore the most essential business functions.

References (click to expand)

High Availability vs. Fault Tolerance vs. Disaster Recovery

Question 57
 You have an Active Directory forest named contoso.com.

You install and configure Azure AD Connect to use password hash

synchronization as the single sign-on (SSO) method. Staging mode is
enabled.

You review the synchronization results and discover that the

Synchronization Service Manager does not display any sync jobs.

You need to ensure that the synchronization completes successfully.

What should you do?

Answers
• Run Azure AD Connect and set the SSO method to Pass-through
Authentication.
• From Synchronization Service Manager, run a full import.
• From Azure PowerShell, run Start-AdSyncSyncCycle ?PolicyType
Initial.
• Run Azure AD Connect and disable staging mode.

Explanation (click to expand)

Staging mode must be disabled. If the Azure AD Connect server is in staging mode,
password hash synchronization is temporarily disabled.

Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid
identity goals. It provides the following features:

Password hash synchronization - A sign-in method that synchronizes a hash of a users on-
premises AD password with Azure AD.

Pass-through authentication - A sign-in method that allows users to use the same password
on-premises and in the cloud, but doesn't require the additional infrastructure of a federated
environment.

Federation integration - Federation is an optional part of Azure AD Connect and can be used
to configure a hybrid environment using an on-premises AD FS infrastructure. It also
provides AD FS management capabilities such as certificate renewal and additional AD FS
server deployments.

Synchronization - Responsible for creating users, groups, and other objects. As well as,
making sure identity information for your on-premises users and groups is matching the
cloud. This synchronization also includes password hashes.
 Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a
central location in the Azure portal to view this activity.

References (click to expand)

Troubleshoot password hash synchronization with Azure AD Connect sync

Question 58
You have an Azure Active Directory (Azure AD) tenant.

All administrators must enter a verification code to access the Azure portal.

You need to ensure that the administrators can access the Azure portal only
from your on-premises network.

What should you configure?

Answers
• An Azure AD Identity Protection user risk policy.
• The multi-factor authentication service settings.
• The default for all the roles in Azure AD Privileged Identity
Management.
• An Azure AD Identity Protection sign-in risk policy.

Explanation (click to expand)

The security of two-step verification lies in its layered approach. Compromising multiple
authentication factors presents a significant challenge for attackers. Even if an attacker
manages to learn the user's password, it is useless without also having possession of the
additional authentication method. It works by requiring two or more of the following
authentication methods:

Something you know (typically a password).

Something you have (a trusted device that is not easily duplicated, like a phone).

Something you are (biometrics).

References (click to expand)

How it works: Azure Multi-Factor Authentication
 Planning a cloud-based Azure Multi-Factor Authentication deployment

Question 59
You have two Azure Active Directory (Azure AD) tenants named
contoso.com and fabrikam.com.

You have a Microsoft account that you use to sign in to both tenants.

You need to configure the default sign-in tenant for the Azure portal.

What should you do?

Answers
• From Azure Cloud Shell, run Set-AzureRmSubscription.
• From Azure Cloud Shell, run Set-AzureRmContext.
• From the Azure portal, configure the portal settings.
• From the Azure portal, change the directory.

Explanation (click to expand)

The Set-AzureRmContext cmdlet sets authentication information for cmdlets that you run in
the current session. The context includes tenant, subscription, and environment information.

Example: PS C:\>Set-AzureRmContext -SubscriptionId "xxxx-xxxx-xxxx-xxxx"

References (click to expand)

Set-AzureRmContext

Question 60
You need to limit the amount of inbound traffic to all the Azure virtual
networks.

What should you create?

Answers
• One network security group (NSG).
• 10 virtual network gateways.
• 10 Azure ExpressRoute circuits.
• One Azure firewall.

Explanation (click to expand)

Azure Firewall is a managed, cloud-based network security service that protects your Azure
Virtual Network resources. It's a fully stateful firewall-as-a-service with built-in high
availability and unrestricted cloud scalability. You can centrally create, enforce, and log
application and network connectivity policies across subscriptions and virtual networks.

Capabilities supported in Azure Firewall:

Stateful firewall as a service

Built-in high availability with unrestricted cloud scalability

FQDN filtering

FQDN tags

Network traffic filtering rules

Outbound SNAT support

Inbound DNAT support

Centrally create, enforce, and log application and network connectivity policies across Azure
subscriptions and VNETs

Fully integrated with Azure Monitor for logging and analytics

References (click to expand)

What is Azure Firewall?

Azure Firewall FAQ

Question 61
What should the company use to build, test, and deploy predictive analytics
solutions?
 Answers
• Azure Logic Apps.
• Azure Machine Learning Studio.
• Azure Batch.
• Azure Cosmos DB.

Explanation (click to expand)

Azure Machine Learning Studio gives you an interactive, visual workspace to easily build,
test, and iterate on a predictive analysis model.

Microsoft Azure Machine Learning Studio is a collaborative, drag-and-drop tool you can use
to build, test, and deploy predictive analytics solutions on your data. Machine Learning
Studio publishes models as web services that can easily be consumed by custom apps or BI
tools such as Excel.

Machine Learning Studio is where data science, predictive analytics, cloud resources, and
your data meet.

To develop a predictive analysis model, you typically use data from one or more sources,
transform, and analyze that data through various data manipulation and statistical functions,
and generate a set of results. Developing a model like this is an iterative process. As you
modify the various functions and their parameters, your results converge until you are
satisfied that you have a trained, effective model.

References (click to expand)

What is Azure Machine Learning Studio?

Question 62
*** AZURE POLICIES PROVIDE *** a common platform for deploying
objects to a cloud infrastructure and for implementing consistency across the
Azure environment.

Instructions: Review the UPPER-CASED text surrounded by ***. If it makes

the statement correct, select "No change is needed". If the statement is
incorrect, select the answer choice that makes the statement correct.

Answers
• No change is needed.
• Resource groups provide.
• Azure Resource Manager provides.
• Management groups provide.

Explanation (click to expand)

Azure Resource Manager is the deployment and management service for Azure. It provides a
management layer that enables you to create, update, and delete resources in your Azure
subscription. You use management features, like access control, locks, and tags, to secure and
organize your resources after deployment.

When a user sends a request from any of the Azure tools, APIs, or SDKs, Resource Manager
receives the request. It authenticates and authorizes the request. Resource Manager sends the
request to the Azure service, which takes the requested action. Because all requests are
handled through the same API, you see consistent results and capabilities in all the different
tools.

Terminology:

resource - A manageable item that is available through Azure. Virtual machines, storage
accounts, web apps, databases, and virtual networks are examples of resources.

resource group - A container that holds related resources for an Azure solution. The resource
group includes those resources that you want to manage as a group. You decide which
resources belong in a resource group based on what makes the most sense for your
organization.

resource provider - A service that supplies Azure resources. For example, a common resource
provider is Microsoft.Compute, which supplies the virtual machine resource.
Microsoft.Storage is another common resource provider.

Resource Manager template - A JavaScript Object Notation (JSON) file that defines one or
more resources to deploy to a resource group or subscription. The template can be used to
deploy the resources consistently and repeatedly.

declarative syntax - Syntax that lets you state "Here is what I intend to create" without having
to write the sequence of programming commands to create it. The Resource Manager
template is an example of declarative syntax. In the file, you define the properties for the
infrastructure to deploy to Azure.

References (click to expand)

Azure Resource Manager overview

Resource Manager on Azure documentation

 Question 63
Your company has an Azure Active Directory (Azure AD) tenant named
contoso.com that is configured for hybrid coexistence with the on-premises
Active Directory Domain.

The tenant contains the users shown in the following users.

User1: User Type - Member, Source - AzureAD, Sign-in -

User1@contoso.com.

User2: User Type - Member, Source - Windows Server Active Directory,

Sign-in - User2@contoso.com.

User3: User Type - Guest, Source - Multiple, Sign-in - User3@outlook.com.

User4: User Type - Guest, Source - Multiple, Sign-in - User4@gmail.com.

Whenever possible, you need to enable Azure Multi-Factor Authentication

(MFA) for the users in contoso.com.

Which users should you enable for Azure MFA?

Answers
• User1 only.
• User1, User2, and User3 only.
• User1 and User2 only.
• User1, User2, User3, and User4.
• User2 only.

Explanation (click to expand)

The security of two-step verification lies in its layered approach. Compromising multiple
authentication factors presents a significant challenge for attackers. Even if an attacker
manages to learn the user's password, it is useless without also having possession of the
additional authentication method. It works by requiring two or more of the following
authentication methods:

Something you know (typically a password)

Something you have (a trusted device that is not easily duplicated, like a phone)

Something you are (biometrics)

 Multi-Factor Authentication comes as part of the following offerings:

Azure Active Directory Premium or Microsoft 365 Business - Full featured use of Azure
Multi-Factor Authentication using Conditional Access policies to require multi-factor
authentication.

Azure AD Free or standalone Office 365 licenses - Use pre-created Conditional Access
baseline protection policies to require multi-factor authentication for your users and
administrators.

Azure Active Directory Global Administrators - A subset of Azure Multi-Factor

Authentication capabilities are available as a means to protect global administrator accounts.

References (click to expand)

How it works: Azure Multi-Factor Authentication

Question 64
You have an Azure Active Directory (Azure AD) tenant named
contoso.onmicrosoft.com.

The User administrator role is assigned to a user named Admin1.

An external partner has a Microsoft account that uses the

user1@outlook.com sign in.

Admin1 attempts to invite the external partner to sign in to the Azure AD

tenant and receives the following error message: ?Unable to invite user.

User1@outlook.com ? Generic authorization exception.?.

You need to ensure that Admin1 can invite the external partner to sign in to
the Azure AD tenant.

What should you do?

Answers
• From the Roles and administrators blade, assign the Security
administrator role to Admin1.
• From the Organizational relationships blade, add an identity
provider.
• From the Custom domain names blade, add a custom domain.
• From the Users blade, modify the External collaboration settings.

Explanation (click to expand)

By default, all users and guests in your directory can invite guests even if they're not assigned
to an admin role. External collaboration settings let you turn guest invitations on or off for
different types of users in your organization. You can also delegate invitations to individual
users by assigning roles that allow them to invite guests.

With Azure AD B2B collaboration, a tenant admin can set the following invitation policies:

Turn off invitations

Only admins and users in the Guest Inviter role can invite

Admins, the Guest Inviter role, and members can invite

All users, including guests, can invite

References (click to expand)

Enable B2B external collaboration and manage who can invite guests

Question 65
You have an Azure DNS zone named adatum.com.

You need to delegate a subdomain named research.adatum.com to a different

DNS server in Azure.

What should you do?

Answers
• Create an A record named *.research in the adatum.com zone.
• Create a PTR record named research in the adatum.com zone.
• Modify the SOA record of adatum.com.
• Create an NS record named research in the adatum.com zone.

Explanation (click to expand)

You need to create a name server (NS) record for the zone.
 The A Record points your hostname to an IP address. The record A specifies IP address
(IPv4) for given host. This is one of the most frequently used records in the DNS Zones.

PTR records are used for the Reverse DNS (Domain Name System) lookup. Using the IP
address you can get the associated domain/hostname. An A record should exist for every PTR
record. The usage of a reverse DNS setup for a mail server is a good solution.

The SOA means Start Of Authority. The SOA record defines the beginning of the authority
DNS zone and specifies the global parameters for the zone. The SOA record has the
following structure: "Serial number", "Primary name server (NS)", "DNS admin e-mail",
"Refresh Rate", "Retry Rate", "Expire time" and "Default TTL".

The NS records identify the name servers, responsible for your DNS zone. In order to have a
valid DNS configuration, the NS records configured in the DNS zone must be exactly the
same as these configured as name servers at your domain name provider.

References (click to expand)

Overview of DNS zones and records

Question 66
Your company has a main office in London that contains 100 client
computers.

Three years ago, you migrated to Azure Active Directory (Azure AD).

The company's security policy states that all personal devices and corporate-
owned devices must be registered or joined to Azure AD.

A remote user named User1 is unable to join a personal device to Azure AD

from a home network.

You verify that other users can join their devices to Azure AD.

You need to ensure that User1 can join the device to Azure AD.

What should you do?

Answers
• From the Device settings blade, modify the Users may join devices
to Azure AD setting.
• From the Device settings blade, modify the Maximum number of
devices per user setting.
• Create a point-to-site VPN from the home network of User1 to
Azure.
• Assign the User administrator role to User1.

Explanation (click to expand)

Maximum number of devices - This setting enables you to select the maximum number of
devices that a user can have in Azure AD. If a user reaches this quota, they are not be able to
add additional devices until one or more of the existing devices are removed. The device
quota is counted for all devices that are either Azure AD joined or Azure AD registered
today. The default value is 20.

Maximum number of devices setting does not apply to hybrid Azure AD joined devices.

References (click to expand)

Manage device identities using the Azure portal

"The maximum number of devices that can be joined to the workplace by the user has been
reached" error during a Workplace Join

Question 67
Your company plans to request an architectural review of an Azure
environment from Microsoft.

The company currently has a Basic support plan.

You need to recommend a new support plan for the company. The solution
must minimize costs.

Which support plan should you recommend?

Answers
• Premier.
• Developer.
• Professional Direct.
• Standard.

Explanation (click to expand)

 Architecture Support for Premier Plan: Customer-specific architectural support such as
design reviews, performance tuning, configuration and implementation assistance delivered
by Microsoft Azure technical specialists.

Operations Support for Premier Plan: Technical account manager-led service reviews and
reporting

Training for Premier Plan: Azure Engineering-led web seminars, on-demand training

Proactive Guidance for Premier Plan: Designated Technical Account Manager

References (click to expand)

Compare support plans

Question 68
You set the multi-factor authentication status for a user named
admin1@contoso.com to Enabled.

Admin1 accesses the Azure portal by using a web browser.

Which additional security verifications can Admin1 use when accessing the
Azure portal?

Answers
• A phone call, a text message that contains a verification code, and
a notification or a verification code sent from the Microsoft Authenticator
app.
• An app password, a text message that contains a verification code,
and a notification sent from the Microsoft Authenticator app.
• An app password, a text message that contains a verification code,
and a verification code sent from the Microsoft Authenticator app.
• A phone call, an email message that contains a verification code,
and a text message that contains an app password.

Explanation (click to expand)

Verification methods:

You can choose the verification methods that are available for your users.
When your users enroll their accounts for Azure Multi-Factor Authentication, they choose
their preferred verification method from the options that you have enabled. Guidance for the
user enrollment process is provided in Set up my account for two-step verification.

Call to phone: Places an automated voice call. The user answers the call and presses # in the
phone keypad to authenticate. The phone number is not synchronized to on-premises Active
Directory.

Text message to phone: Sends a text message that contains a verification code. The user is
prompted to enter the verification code into the sign-in interface. This process is called one-
way SMS. Two-way SMS means that the user must text back a particular code. Two-way
SMS is deprecated and not supported after November 14, 2018. Users who are configured for
two-way SMS are automatically switched to call to phone verification at that time.

Notification through mobile app: Sends a push notification to your phone or registered
device. The user views the notification and selects Verify to complete verification. The
Microsoft Authenticator app is available for Windows Phone, Android, and iOS.

Verification code from mobile app or hardware token: The Microsoft Authenticator app
generates a new OATH verification code every 30 seconds. The user enters the verification
code into the sign-in interface. The Microsoft Authenticator app is available for Windows
Phone, Android, and iOS.

References (click to expand)

Configure Azure Multi-Factor Authentication settings

Question 69
You have an Azure Active Directory (Azure AD) tenant named Adatum and
an Azure Subscription named Subscription1. Adatum contains a group
named Developers.

Subscription1 contains a resource group named Dev.

You need to provide the Developers group with the ability to create Azure
logic apps in the Dev resource group.

Solution: On Dev, you assign the Logic App Contributor role to the
Developers group.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

You can permit only specific users or groups to run specific operations, such as managing,
editing, and viewing logic apps. To control their permissions, use Azure Role-Based Access
Control (RBAC) to assign customized or built-in roles to members in your Azure
subscription:

Logic App Contributor: Lets you manage logic apps, but you can't change access to them.

Logic App Operator: Lets you read, enable, and disable logic apps, but you can't edit or
update them.

To prevent others from changing or deleting your logic app, you can use Azure Resource
Lock, which prevents others from changing or deleting production resources.

References (click to expand)

Built-in roles for Azure resources

Secure access and data in Azure Logic Apps

Question 70
You have an Azure subscription named Subscription1 that contains an Azure
Log Analytics workspace named Workspace1.

You need to view the error events from a table named Event.

Which query should you run in Workspace1?

Answers
• Get-Event Event | where ($_.EventType ?eq "error").
• Get-Event Event | where ($_.EventType == "error").
• Search in (Event) * | where EventType ?eq "error".
• Search in (Event) "error".
• Select *from Event where EventType == "error".
• Event | where EventType is "error".
 Explanation (click to expand)
Table scoping: To search a term in a specific table, add in (table-name) just after the search
operator:

Search in table Event: search in (Event) "error"| take 100

Search in multiple tables: search in (Event, SecurityEvent) "error"| take 100

References (click to expand)

Search queries in Azure Monitor logs

Get started with Log Analytics in Azure Monitor

Question 71
You have an Azure subscription named Subscription1. Subscription1
contains the resource groups in the following table.

***

Name: RG1,????????????????????Azure region: West Europe,????Policy:

Policy1

Name: RG2,????????????????????Azure region: North Europe,???Policy:

Policy2

Name: RG3,????????????????????Azure region: France Central,?Policy:

Policy3

***

RG1 has a web app named WebApp1. WebApp1 is located in West Europe.

You move WebApp1 to RG2.

What is the effect of the move?

Answers
• The App Service plan for WebApp1 moves to North Europe.
Policy2 applies to WebApp1.
• The App Service plan for WebApp1 remains in West Europe.
Policy2 applies to WebApp1.
• The App Service plan for WebApp1 moves to North Europe.
Policy1 applies to WebApp1.
• The App Service plan for WebApp1 remains in West Europe.
Policy1 applies to WebApp1.

Explanation (click to expand)

You can move an app to another App Service plan, as long as the source plan and the target
plan are in the same resource group and geographical region.

The region in which your app runs is the region of the App Service plan it's in. However, you
cannot change an App Service plan's region.

References (click to expand)

https://docs.microsoft.com/en-us/azure/app-service/app-service-plan-manage

Question 72
You have an Azure subscription that contains a resource group named RG1.
RG1 contains 100 virtual machines.

Your company has three cost centers named Manufacturing, Sales, and
Finance.

You need to associate each virtual machine to a specific cost center.

What should you do?

Answers
• Configure locks for the virtual machine.
• Add an extension to the virtual machines.
• Assign tags to the virtual machines.
• Modify the inventory settings of the virtual machine.

Explanation (click to expand)

Billing Tags Policy Initiative:
 Requires specified tag values for cost center and product name. Uses built-in policies to apply
and enforce required tags. You specify the required values for the tags.

References (click to expand)

Prevent unexpected charges with Azure billing and cost management

Use tags to organize your Azure resources

Sample - Billing tags policy initiative

Question 73
You have an Azure subscription named Subscription1. Subscription1
contains a resource group named RG1. RG1 contains resources that were
deployed by using templates.

You need to view the date and time when the resources were created in RG1.

Solution: From the Subscriptions blade, you select the subscription, and then
click Programmatic deployment.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

The Azure Activity Log provides insight into subscription-level events that have occurred in
Azure. This includes a range of data, from Azure Resource Manager operational data to
updates on Service Health events. The Activity Log was previously known as Audit Logs or
Operational Logs, since the Administrative category reports control-plane events for your
subscriptions.

Use the Activity Log, to determine the what, who, and when for any write operations (PUT,
POST, DELETE) taken on the resources in your subscription. You can also understand the
status of the operation and other relevant properties.

The Activity Log does not include read (GET) operations or operations for resources that use
the Classic/RDFE model.
 References (click to expand)
Overview of Azure Activity log

Question 74
You need to move the blueprint files to Azure.

What should you do?

Answers
• Use Azure Storage Explorer to copy the files.
• Use the Azure Import/Export service.
• Generate a shared access signature (SAS). Map a drive, and then
copy the files by using File Explorer.
• Generate an access key. Map a drive, and then copy the files by
using File Explorer.

Explanation (click to expand)

Azure Storage Explorer is a free tool from Microsoft that allows you to work with Azure
Storage data on Windows, macOS, and Linux. You can use it to upload and download data
from Azure blob storage.

References (click to expand)

Move data to and from Azure Blob Storage using Azure Storage Explorer

Question 75
You have an Azure Active Directory (Azure AD) tenant that contains 5,000
user accounts.

You create a new user account named AdminUser1.

You need to assign the User administrator administrative role to

AdminUser1.

What should you do from the user account properties?

 Answers
• From the Directory role blade, modify the directory role.
• From the Licenses blade, assign a new license.
• From the Groups blade, invite the user account to a new group.

Explanation (click to expand)

Assign a role to a user

1. Sign in to the Azure portal with an account that's a global admin or privileged role admin
for the directory.

2. Select Azure Active Directory, select Users, and then select a specific user from the list.

3. For the selected user, select Directory role, select Add role, and then pick the appropriate
admin roles from the Directory roles list, such as Conditional access administrator.

4. Press Select to save.

References (click to expand)

Assign administrator and non-administrator roles to users with Azure Active Directory

Question 76
You have an Azure Active Directory (Azure AD) tenant named
contosocloud.onmicrosoft.com.

Your company has a public DNS zone for contoso.com.

You add contoso.com as a custom domain name to Azure AD.

You need to ensure that Azure can verify the domain name.

Which type of DNS record should you create?

Answers
• TXT.
• SRV.
• DNSKEY.
• NSEC.
• RRSIG.
• PTR.

Explanation (click to expand)

You can configure Azure DNS to host a custom domain for your web apps. For example, you
can create an Azure web app and have your users access it using either www.contoso.com or
contoso.com as a fully qualified domain name (FQDN).

To do this, you have to create three records:

* A root "A" record pointing to contoso.com

A root "TXT" record for verification

A "CNAME" record for the www name that points to the A record

References (click to expand)

Tutorial: Create DNS records in a custom domain for a web app

Question 77
You plan to use the Azure Import/Export service to copy files to a storage
account.

Which two files should you create before you prepare the drives for the
import job? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Answers
• A driveset CSV file.
• A JSON configuration file.
• A PowerShell PS1 file.
• An XML manifest file.
• A dataset CSV file.

Explanation (click to expand)

 1. Modify the driveset.csv file in the root folder where the tool resides.

2. Modify the dataset.csv file in the root folder where the tool resides. Depending on whether
you want to import a file or folder or both, add entries in the dataset.csv file.

References (click to expand)

Use Azure Import/Export service to import data to Azure Files

Question 78
You create an Azure Storage account named contosostorage.

You plan to create a file share named data.

Users need to map a drive to the data file share from home computers that
run Windows 10.

Which outbound port should you open between the home computers and the
data file share?

Answers
• 80.
• 443.
• 445.
• 3389.

Explanation (click to expand)

Azure Files is Microsoft's easy-to-use cloud file system. Azure file shares can be seamlessly
used in Windows and Windows Server.

Prerequisites:

Storage account name: To mount an Azure file share, you will need the name of the storage
account.

Storage account key: To mount an Azure file share, you will need the primary (or secondary)
storage key. SAS keys are not currently supported for mounting.

Ensure port 445 is open: The SMB protocol requires TCP port 445 to be open; connections
will fail if port 445 is blocked. You can check to see if your firewall is blocking port 445 with
the Test-NetConnection cmdlet.
 References (click to expand)
Use an Azure file share with Windows

Question 79
You have an Azure subscription that contains the resources in the following
table.

***

Name: RG1,????????????????????Type: Resource group

Name: Store1,?????????????????Type: Azure Storage Account

Name: Sync1,??????????????????Type: Azure File Sync

***

Store1 contains a file share named Data. Data contains 5,000 files.

You need to synchronize the files in Data to an on-premises server named

Server1.

Which three actions should you perform? Each correct answer presents part
of the solution.

NOTE: Each correct selection is worth one point.

Answers
• Download an automation script.
• Register Server1.
• Create a sync group.
• Create a container instance.
• Install the Azure File Sync agent on Server1.

Explanation (click to expand)

Use Azure File Sync to centralize your organization's file shares in Azure Files, while
keeping the flexibility, performance, and compatibility of an on-premises file server. Azure
File Sync transforms Windows Server into a quick cache of your Azure file share. You can
 use any protocol that's available on Windows Server to access your data locally, including
SMB, NFS, and FTPS. You can have as many caches as you need across the world.

Step 1: Install the Azure File Sync agent on Server1. The Azure File Sync agent is a
downloadable package that enables Windows Server to be synced with an Azure file share.

Step 2: Register Server1. Register Windows Server with Storage Sync Service. Registering
your Windows Server with a Storage Sync Service establishes a trust relationship between
your server (or cluster) and the Storage Sync Service.

Step 3: Create a sync group and a cloud endpoint. A sync group defines the sync topology for
a set of files. Endpoints within a sync group are kept in sync with each other. A sync group
must contain one cloud , which represents an Azure file share and one or more server
endpoints. A server endpoint represents a path on registered server.

References (click to expand)

Deploy Azure File Sync

Question 80
You have the Azure virtual machines shown in the following table.

***

Name: VM1,????????????????????Azure Region: West Europe

Name: VM2,????????????????????Azure Region: West Europe

Name: VM3,????????????????????Azure Region: North Europe

Name: VM4,????????????????????Azure Region: North Europe

***

You have a Recovery Services vault that protects VM1 and VM2.

You need to protect VM3 and VM4 by using Recovery Services.

What should you do first?

Answers
• Create a new backup policy.
• Configure the extensions for VM3 and VM4.
• Create a storage account.
• Create a new Recovery Services vault.

Explanation (click to expand)

A Recovery Services vault is a storage entity in Azure that houses data. The data is typically
copies of data, or configuration information for virtual machines (VMs), workloads, servers,
or workstations. You can use Recovery Services vaults to hold backup data for various Azure
services.

References (click to expand)

Set up disaster recovery for Azure VMs

Question 81
You have an Azure Active Directory (Azure AD) tenant named
contoso.onmicrosoft.com.

You hire a temporary vendor. The vendor uses a Microsoft account that has
a sign-in of user1@outlook.com.

You need to ensure that the vendor can authenticate to the tenant by using
user1@outlook.com.

What should you do?

Answers
• From the Azure portal, add a custom domain name, create a new
Azure AD user, and then specify user1@outlook.com as the username.
• From Azure Cloud Shell, run the New-AzureADUser cmdlet and
specify the "?UserPrincipalName user1@outlook.com" parameter.
• From the Azure portal, add a new guest user, and then specify
user1@outlook.com as the email address.
• From Windows PowerShell, run the New-AzureADUser cmdlet
and specify the "?UserPrincipalName user1@outlook.com" parameter.

Explanation (click to expand)

 UserPrincipalName - contains the UserPrincipalName (UPN) of this user. The UPN is what
the user will use when they sign in into Azure AD. The common structure is @, so for Abby
Brown in Contoso.com, the UPN would be AbbyB@contoso.com

To create the user, call the New-AzureADUser cmdlet with the parameter values:

powershell New-AzureADUser -AccountEnabled $True -DisplayName "Abby Brown" -

PasswordProfile $PasswordProfile -MailNickName "AbbyB" - UserPrincipalName
"AbbyB@contoso.com"

References (click to expand)

Creating a new user in Azure AD

Question 82
You plan to automate the deployment of a virtual machine scale set that uses
the Windows Server 2016 Datacenter image.

You need to ensure that when the scale set virtual machines are provisioned,
they have web server components installed.

Which two actions should you perform? Each correct answer presents part of
the solution.

NOTE: Each correct selection is worth one point.

Answers
• Modify the extensionProfile section of the Azure Resource
Manager template.
• Create an automation account.
• Upload a configuration script.
• Create a new virtual machine scale set in the Azure portal.
• Create an Azure policy.

Explanation (click to expand)

Virtual Machine Scale Sets can be used with the Azure Desired State Configuration (DSC)
extension handler. Virtual machine scale sets provide a way to deploy and manage large
numbers of virtual machines, and can elastically scale in and out in response to load. DSC is
used to configure the VMs as they come online so they are running the production software.
 References (click to expand)
Using Virtual Machine Scale Sets with the Azure DSC Extension

Question 83
You have an Azure subscription that contains a virtual machine named VM1.
VM1 hosts a line-of-business application that is available 24 hours a day.
VM1 has one network interface and one managed disk. VM1 uses the D4s v3
size.

You plan to make the following changes to VM1:

* Change the size to D8s v3.

* Add a 500-GB managed disk.

* Add the Puppet Agent extension.

* Attach an additional network interface.

Which change will cause downtime for VM1?

Answers
• Add the Puppet Agent extension.
• Change the size to D8s v3.
• Add a 500-GB managed disk.
• Attach an additional network interface.

Explanation (click to expand)

While resizing the VM it must be in a stopped state.

References (click to expand)

Resize virtual machines

Question 84
 You have an Azure virtual machine named VM1 that you use for testing.
VM1 is protected by Azure Backup.

You delete VM1.

You need to remove the backup data stored for VM1.

What should you do first?

Answers
• Delete the Recovery Services vault.
• Delete the storage account.
• Stop the backup.
• Modify the backup policy.

Explanation (click to expand)

Azure Backup provides backup for virtual machines - created through both the classic
deployment model and the Azure Resource Manager deployment model - by using custom-
defined backup policies in a Recovery Services vault.

With the release of backup policy management, customers can manage backup policies and
model them to meet their changing requirements from a single window. Customers can edit a
policy, associate more virtual machines to a policy, and delete unnecessary policies to meet
their compliance requirements.

You can't delete a Recovery Services vault if it is registered to a server and holds backup
data. If you try to delete a vault, but can't, the vault is still configured to receive backup data.

References (click to expand)

Backup policy management for Azure VM backup in a Recovery Services vault

Question 85
You have an Azure subscription named Subscription1.

You deploy a Linux virtual machine named VM1 to Subscription1.

You need to monitor the metrics and the logs of VM1.

What should you use?

 Answers
• The AzurePerformanceDiagnostics extension.
• Azure HDInsight.
• Linux Diagnostic Extension (LAD) 3.0.
• Azure Analysis Services.

Explanation (click to expand)

You can use extensions to configure diagnostics on your VMs to collect additional metric
data.

The basic host metrics are available, but to see more granular and VM-specific metrics, you
need to install the Azure diagnostics extension on the VM. The Azure diagnostics extension
allows additional monitoring and diagnostics data to be retrieved from the VM.

References (click to expand)

Tutorial: Monitor and update a Linux virtual machine in Azure

Question 86
You plan to back up an Azure virtual machine named VM1.

You discover that the Backup Pre-Check status displays a status of Warning.

What is a possible cause of the Warning status?

Answers
• VM1 is stopped.
• VM1 does not have the latest version of WaAppAgent.exe
installed.
• VM1 has an unmanaged disk.
• A Recovery Services vault is unavailable.

Explanation (click to expand)

The WARNING state indicates one or more issues in VM's configuration that might lead to
backup failures and provides recommended steps to ensure successful backups. Not having
the latest VM Agent installed, for example, can cause backups to fail intermittently and falls
in this class of issues.
 The PASSED state indicates that your VMs configuration is conducive for successful
backups and no corrective action needs to be taken.

The CRITICAL state indicates one or more critical issues in the VM's configuration that will
lead to backup failures and provides required steps to ensure successful backups. A network
issue caused due to an update to the NSG rules of a VM, for example, will fail backups as it
prevents the VM from communicating with the Azure Backup service and falls in this class
of issues.

References (click to expand)

Introducing Backup Pre-Checks for Backup of Azure VMs

Question 87
You have an Azure subscription named Subscription1 that is used by several
departments at your company. Subscription1 contains the resources in the
following table:

***

Name: Storage1,???????????????Type: Storage account

Name: RG1,????????????????????Type: Resource group

Name: Container1,?????????????Type: Blob container

Name: Share1,?????????????????Type: File share

***

Another administrator deploys a virtual machine named VM1 and an Azure

Storage account named Storage2 by using a single Azure Resource Manager
template.

You need to view the template used for the deployment.

From which blade can you view the template that was used for the
deployment?

Answers
• Container1.
• RG1.
• Share1.
• Storage1.

Explanation (click to expand)

View template from deployment history

1. Go to the resource group for your new resource group. Notice that the portal shows the
result of the last deployment. Select this link.

2. You see a history of deployments for the group. In your case, the portal probably lists only
one deployment. Select this deployment.

3. The portal displays a summary of the deployment. The summary includes the status of the
deployment and its operations and the values that you provided for parameters. To see the
template that you used for the deployment, select View template.

References (click to expand)

Manage Azure resources by using the Azure portal

Question 88
You have an Azure virtual machine named VM1. VM1 was deployed by
using a custom Azure Resource Manager template named ARM1.json.

You receive a notification that VM1 will be affected by maintenance.

You need to move VM1 to a different host immediately.

Solution: From the Redeploy blade, you click Redeploy.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

When you redeploy a VM, it moves the VM to a new node within the Azure infrastructure
and then powers it back on, retaining all your configuration options and associated resources.
 References (click to expand)
Redeploy Windows virtual machine to new Azure node

Question 89
You download an Azure Resource Manager template based on an existing
virtual machine. The template will be used to deploy 100 virtual machines.

You need to modify the template to reference an administrative password.

You must prevent the password from being stored in plain text.

What should you create to store the password?

Answers
• An Azure Key Vault and an access policy.
• A Recovery Services vault and a backup policy.
• Azure Active Directory (AD) Identity Protection and an Azure
policy.
• An Azure Storage account and an access policy.

Explanation (click to expand)

You can use a template that allows you to deploy a simple Windows VM by retrieving the
password that is stored in a Key Vault. Therefore, the password is never put in plain text in
the template parameter file.

References (click to expand)

Secure VM password with Key Vault

Question 90
You have an Azure subscription that contains three virtual networks named
VNet1, VNet2, and VNet3. VNet2 contains a virtual appliance named VM2
that operates as a router.

You are configuring the virtual networks in a hub and spoke topology that
uses VNet2 as the hub network.
 You plan to configure peering between VNet1 and Vnet2 and between
VNet2 and VNet3.

You need to provide connectivity between VNet1 and VNet3 through VNet2.

Which two configurations should you perform? Each correct answer presents
part of the solution.

Answers
• On the peering connections, use remote gateways.
• On the peering connections, allow forwarded traffic.
• On the peering connections, allow gateway transit.
• Create route tables and assign the table to subnets.
• Create a route filter.

Explanation (click to expand)

Allow gateway transit: Check this box if you have a virtual network gateway attached to this
virtual network and want to allow traffic from the peered virtual network to flow through the
gateway. For example, this virtual network may be attached to an on-premises network
through a virtual network gateway. The gateway can be an ExpressRoute or VPN gateway.
Checking this box allows traffic from the peered virtual network to flow through the gateway
attached to this virtual network to the on-premises network. If you check this box, the peered
virtual network cannot have a gateway configured. The peered virtual network must have the
Use remote gateways checkbox checked when setting up the peering from the other virtual
network to this virtual network. If you leave this box unchecked (default), traffic from the
peered virtual network still flows to this virtual network, but cannot flow through a virtual
network gateway attached to this virtual network. If the peering is between a virtual network
(Resource Manager) and a virtual network (classic), the gateway must be in the virtual
network (Resource Manager).

References (click to expand)

Create, change, or delete a virtual network peering

Question 91
You have a public load balancer that balances ports 80 and 443 across three
virtual machines.

You need to direct all the Remote Desktop Protocol (RDP) connections to
VM3 only.
 What should you configure?

Answers
• An inbound NAT rule.
• A load balancing rule.
• A new public load balancer for VM3.
• A frontend IP configuration.

Explanation (click to expand)

Create an inbound NAT port-forwarding rule:

Create a load balancer inbound network address translation (NAT) rule to forward traffic
from a specific port of the front-end IP address to a specific port of a back-end VM.

1. Select All resources in the left-hand menu, and then select MyLoadBalancer from the
resource list.

2. Under Settings, select Inbound NAT rules, and then select Add.

3. On the Add inbound NAT rule page, type or select the following values:

* Name: Type MyNATRuleVM1.

* Port: Type 4221.

* Target virtual machine: Select MyVM1 from the drop-down.

* Port mapping: Select Custom.

* Target port: Type 3389.

4. Select OK.

References (click to expand)

Tutorial: Configure port forwarding in Azure Load Balancer using the portal

Azure Load Balancer For RDP

Question 92
You are troubleshooting a performance issue for an Azure Application
Gateway.
 You need to compare the total requests to the failed requests during the past
six hours.

What should you use?

Answers
• NSG flow logs in Azure Network Watcher.
• Metrics in Application Gateway.
• Connection monitor in Azure Network Watcher.
• Diagnostics logs in Application Gateway.

Explanation (click to expand)

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic
to your web applications. Traditional load balancers operate at the transport layer (OSI layer
4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP
address and port.

With Application Gateway, you can make routing decisions based on additional attributes of
an HTTP request, such as URI path or host headers. For example, you can route traffic based
on the incoming URL. So if /images is in the incoming URL, you can route traffic to a
specific set of servers (known as a pool) configured for images. If /video is in the URL, that
traffic is routed to another pool that's optimized for videos.

This type of routing is known as application layer (OSI layer 7) load balancing. Azure
Application Gateway can do URL-based routing and more.

By using Azure Application Gateway, you can monitor resources in the following ways:

Back-end health: Application Gateway provides the capability to monitor the health of the
servers in the back-end pools through the Azure portal and through PowerShell. You can also
find the health of the back-end pools through the performance diagnostic logs.

Logs: Logs allow for performance, access, and other data to be saved or consumed from a
resource for monitoring purposes.

Metrics: Application Gateway has several metrics which help you verify that your system is
performing as expected.

References (click to expand)

Back-end health and diagnostic logs for Application Gateway
 Question 93
You have two subscriptions named Subscription1 and Subscription2. Each
subscription is associated to a different Azure AD tenant.

Subscription1 contains a virtual network named VNet1. VNet1 contains an

Azure virtual machine named VM1 and has an IP address space of
10.0.0.0/16.

Subscription2 contains a virtual network named VNet2. VNet2 contains an

Azure virtual machine named VM2 and has an IP address space of
10.10.0.0/24.

You need to connect VNet1 to VNet2.

What should you do first?

Answers
• Move VM1 to Subscription2.
• Modify the IP address space of VNet2.
• Provision virtual network gateways.
• Move VNet1 to Subscription2.

Explanation (click to expand)

The virtual networks can be in the same or different regions, and from the same or different
subscriptions. When connecting VNets from different subscriptions, the subscriptions do not
need to be associated with the same Active Directory tenant.

Configuring a VNet-to-VNet connection is a good way to easily connect VNets. Connecting a

virtual network to another virtual network using the VNet-to-VNet connection type
(VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location.
Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and
both function the same way when communicating.

The local network gateway for each VNet treats the other VNet as a local site. This lets you
specify additional address space for the local network gateway in order to route traffic.

References (click to expand)

Question 94
 You have an Azure subscription that contains the resources in the following
table.

***

Name: VNet1,??????????????????Type: virtual network?????????Azure

region: West US?????????Resource group: RG2

Name: VNet2,??????????????????Type: virtual network?????????Azure

region: West US?????????Resource group: RG1

Name: VNet3,??????????????????Type: virtual network?????????Azure

region: East US?????????Resource group: RG1

Name: NSG1,???????????????????Type: Network security group

(NSG)Azure region: East US?????????Resource group: RG2

***

To which subnets can you apply NSG1?

Answers
• The subnets on VNet2 only.
• The subnets on VNet2 and VNet3 only.
• The subnets on VNet1, VNet2, and VNet3.
• The subnets on VNet1 only.
• The subnets on VNet3 only.

Explanation (click to expand)

All Azure resources are created in an Azure region and subscription. A resource can only be
created in a virtual network that exists in the same region and subscription as the resource.
You can however, connect virtual networks that exist in different subscriptions and regions.
For more information, see connectivity. When deciding which region(s) to deploy resources
in, consider where consumers of the resources are physically located:

Consumers of resources typically want the lowest network latency to their resources. To
determine relative latencies between a specified location and Azure regions, see View
relative latencies.

Do you have data residency, sovereignty, compliance, or resiliency requirements? If so,

choosing the region that aligns to the requirements is critical.
 Do you require resiliency across Azure Availability Zones within the same Azure region for
the resources you deploy? You can deploy resources, such as virtual machines (VM) to
different availability zones within the same virtual network. Not all Azure regions support
availability zones however.

References (click to expand)

Plan virtual networks

Question 95
You have five Azure virtual machines that run Windows Server 2016. The
virtual machines are configured as web servers.

You have an Azure load balancer named LB1 that provides load balancing
services for the virtual machines.

You need to ensure that visitors are serviced by the same web server for
each request.

What should you configure?

Answers
• Protocol to UDP.
• Session persistence to None.
• Session persistence to Client IP.
• Idle Time-out (minutes) to 20.

Explanation (click to expand)

You can set the sticky session in load balancer rules with setting the session persistence as the
client IP.

References (click to expand)

Configure Azure Load Balancer For Sticky Sessions

Question 96
You have the Azure virtual networks shown in the following table.
 ***

Name: VNet1,??????????????????Address space: 10.11.0.0/16,??Subnet:

10.11.0.0/17,?????????Azure Region: West US

Name: VNet2,??????????????????Address space: 10.11.0.0/17,??Subnet:

10.11.0.0/25,?????????Azure Region: West US

Name: VNet3,??????????????????Address space: 10.10.0.0/22,??Subnet:

10.10.1.0/24,?????????Azure Region: East US

Name: VNet4,??????????????????Address space: 192.168.16.0/22,Subnet:

192.168.16.0/24,??????Azure Region: North Europe

***

To which virtual networks can you establish a peering connection from

VNet1?

Answers
• VNet2 and VNet3 only.
• VNet2 only.
• VNet3 and VNet4 only.
• VNet2, VNet3, and VNet4.

Explanation (click to expand)

You can connect virtual networks to each other with virtual network peering. These virtual
networks can be in the same region or different regions (also known as Global VNet peering).
Once virtual networks are peered, resources in both virtual networks are able to communicate
with each other, with the same latency and bandwidth as if the resources were in the same
virtual network.

References (click to expand)

Tutorial: Connect virtual networks with virtual network peering using the Azure portal

Question 97
You have an Azure subscription that contains a policy-based virtual network
gateway named GW1 and a virtual network named VNet1.
 You need to ensure that you can configure a point-to-site connection from
VNet1 to an on-premises computer.

Which two actions should you perform? Each correct answer presents part of
the solution.

NOTE: Each correct selection is worth one point.

Answers
• Reset GW1.
• Create a route-based virtual network gateway.
• Delete GW1.
• Add a public IP address space to VNet1.
• Add a connection to GW1.
• Add a service endpoint to VNet1.

Explanation (click to expand)

A VPN gateway is used when creating a VPN connection to your on-premises network.

Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let
routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router
platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel
interface).

Policy-based VPN devices use the combinations of prefixes from both networks to define
how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall
devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the
packet filtering and processing engine.

Point-to-Site connections do not require a VPN device or a public-facing IP address.

References (click to expand)

Create a route-based VPN gateway using the Azure portal

Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using
PowerShell

Question 98
 You have an Azure subscription named Subscription1 that contains the
resource groups shown in the following table.

***

Name: RG1,????????????????????Region: East Asia

Name: RG2,????????????????????Region: East US

***

In RG1, you create a virtual machine named VM1 in the East Asia location.

You plan to create a virtual network named VNET1.

You need to create VNET1, and then connect VM1 to VNET1.

What are two possible ways to achieve this goal? Each correct answer
presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers
• Create VNET1 in RG2, and then set East Asia as the location.
• Create VNET1 in a new resource group in the West US location,
and then set West US as the location.
• Create VNET1 in RG1, and then set East US as the location.
• Create VNET1 in RG2, and then set East US as the location.
• Create VNET1 in RG1, and then set East Asia as the location.

Explanation (click to expand)

Resource group - A container that holds related resources for an Azure solution. The resource
group includes those resources that you want to manage as a group. You decide which
resources belong in a resource group based on what makes the most sense for your
organization.

There are some important factors to consider when defining your resource group:

* A resource group can contain resources that are located in different regions.

* All the resources in your group should share the same lifecycle. You deploy, update, and
delete them together. If one resource, such as a database server, needs to exist on a different
deployment cycle it should be in another resource group.
 * Each resource can only exist in one resource group.

* You can add or remove a resource to a resource group at any time.

* You can move a resource from one resource group to another group.

* A resource group can be used to scope access control for administrative actions.

* A resource can interact with resources in other resource groups. This interaction is common
when the two resources are related but don't share the same lifecycle (for example, web apps
connecting to a database).

References (click to expand)

Azure Resource Manager overview

Question 99
You have an Azure subscription that contains a virtual network named
VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and
Production.

The NVA subnet contains two network virtual appliances (NVAs) that will
perform network traffic inspection between the Perimeter subnet and the
Production subnet.

You need to implement an Azure load balancer for the NVAs. The solution
must meet the following requirements:.

* The NVAs must run in an active-active configuration that uses automatic

failover.

* The NVAs must load balance traffic to two services on the Production
subnet. The services have different IP addresses.

Which three actions should you perform? Each correct answer presents part
of the solution.

NOTE: Each correct selection is worth one point.

Answers
• Add two load balancing rules that have HA Ports enabled and
Floating IP disabled.
• Add a frontend IP configuration, two backend pools, and a health
probe.
• Add two load balancing rules that have HA Ports and Floating IP
enabled.
• Deploy a standard load balancer.
• Deploy a basic load balancer.
• Add a frontend IP configuration a backend pool, and a health
probe.

Explanation (click to expand)

A standard load balancer is required for the HA ports.

Two backend pools are needed as there are two services with different IP addresses.

Floating IP rule is used where backend ports are reused.

HA Ports are not available for the basic load balancer.

References (click to expand)

Azure Standard Load Balancer overview

Multiple Frontends for Azure Load Balancer

Question 100
You manage a virtual network named VNet1 that is hosted in the West US
Azure region.

VNet1 hosts two virtual machines named VM1 and VM2 that run Windows
Server.

You need to inspect all the network traffic from VM1 to VM2 for a period of
three hours.

Solution: From Azure Network Watcher, you create a packet capture.

Does this meet the goal?

Answers
• Yes.
• No.

Explanation (click to expand)

Use the Connection Monitor feature of Azure Network Watcher.

Network Watcher packet capture allows you to create capture sessions to track traffic to and
from a virtual machine. Filters are provided for the capture session to ensure you capture only
the traffic you want. Packet capture helps to diagnose network anomalies, both reactively,
and proactively. Other uses include gathering network statistics, gaining information on
network intrusions, to debug client-server communication, and much more. Being able to
remotely trigger packet captures, eases the burden of running a packet capture manually on a
desired virtual machine, which saves valuable time.

References (click to expand)

Tutorial: Monitor network communication between two virtual machines using the Azure
portal

Question 101
You have an Azure subscription named Subscription1 that contains two
Azure virtual networks named VNet1 and VNet2. VNet1 contains a VPN
gateway named VPNGW1 that uses static routing. There is a site-to-site
VPN connection between your on-premises network and VNet1.

On a computer named Client1 that runs Windows 10, you configure a point-
to-site VPN connection to VNet1.

You configure virtual network peering between VNet1 and VNet2. You
verify that you can connect to VNet2 from the on-premises network. Client1
is unable to connect to VNet2.

You need to ensure that you can connect Client1 to VNet2.

What should you do?

Answers
• Select Allow gateway transit on VNet2.
• Enable BGP on VPNGW1.
• Select Allow gateway transit on VNet1.
• Download and re-install the VPN client configuration package on
Client1.

Explanation (click to expand)

P2S VPN routing behavior is dependent on the client OS, the protocol used for the VPN
connection, and how the virtual networks (VNets) are connected to each other.

Azure currently supports two protocols for remote access, IKEv2 and SSTP. IKEv2 is
supported on many client operating systems including Windows, Linux, MacOS, Android,
and iOS. SSTP is only supported on Windows. If you make a change to the topology of your
network and have Windows VPN clients, the VPN client package for Windows clients must
be downloaded and installed again in order for the changes to be applied to the client.

References (click to expand)

About Point-to-Site VPN routing

Question 102
You have an Azure subscription that contains the resources in the following
table.

***

Name: VNet1,??????????????????Type: Virtual network,????????Details:

Not applicable

Name: Subnet1,????????????????Type: Subnet,?????????????????Details:

Hosted on VNet1

Name: VM1,????????????????????Type: Virtual machine,????????Details:

On Subnet1

Name: VM2,????????????????????Type: Virtual machine,????????Details:

On Subnet1

***

VM1 and VM2 are deployed from the same template and host line-of-
business applications accessed by using Remote Desktop.

You need to prevent users of VM2 and VM2 from accessing websites on the
Internet over TCP port 80.
 What should you do?

Answers
• Change the DenyWebSites outbound security rule.
• Change the Port_80 inbound security rule.
• Disassociate the NSG from a network interface.
• Associate the NSG to Subnet1.

Explanation (click to expand)

You can associate or dissociate a network security group from a network interface or subnet.

The NSG has the appropriate rule to block users from accessing the Internet. We just need to
associate it with Subnet1.

References (click to expand)

Create, change, or delete a network security group

Question 103
Your company registers a domain name of contoso.com.

You create an Azure DNS zone named contoso.com, and then you add an A
record to the zone for a host named www that has an IP address of
131.107.1.10.

You discover that Internet hosts are unable to resolve www.contoso.com to

the 131.107.1.10 IP address.

You need to resolve the name resolution issue.

Solution: You create a PTR record for www in the contoso.com zone.

Does this meet the goal?

Answers
• Yes.
• No.
 Explanation (click to expand)
The Domain Name System is a hierarchy of domains. The hierarchy starts from the 'root'
domain, whose name is simply '.'. Below this come top-level domains, such as 'com', 'net',
'org', 'uk' or 'jp'. Below these are second-level domains, such as 'org.uk' or 'co.jp'. The
domains in the DNS hierarchy are globally distributed, hosted by DNS name servers around
the world.

A domain name registrar is an organization that allows you to purchase a domain name, such
as 'contoso.com'. Purchasing a domain name gives you the right to control the DNS hierarchy
under that name, for example allowing you to direct the name www.contoso.com to your
company web site. The registrar may host the domain in its own name servers on your behalf,
or allow you to specify alternative name servers.

Azure DNS provides a globally distributed, high-availability name server infrastructure,

which you can use to host your domain. By hosting your domains in Azure DNS, you can
manage your DNS records with the same credentials, APIs, tools, billing, and support as your
other Azure services.

The NS record set at the zone apex is automatically created with each DNS zone. It contains
the names of the Azure DNS name servers assigned to the zone. You can add additional name
servers to this NS record set, to support co-hosting domains with more than one DNS
provider. You can also modify the TTL and metadata for this record set. However, you
cannot remove or modify the pre-populated Azure DNS name servers.

Modify the Name Server (NS) record.

References (click to expand)

Tutorial: Host your domain in Azure DNS

Question 104
Mark correct statements:

Answers
• A platform as a service (PaaS) solution that hosts web apps in
Azure provides full control of the operating systems that host applications.
• A platform as a service (PaaS) solution that hosts web apps in
Azure provides the ability to scale the platform automatically.
• A platform as a service (PaaS) solution that hosts web apps in
Azure provides professional development services to continuously add
features to custom applications.
 Question 105
Mark correct statements:

Answers
• Azure provides flexibility between capital expenditure (CapEx)
and operational expenditure (OpEx).
• If you create two Azure virtual machines that use the B2S size,
each virtual machine will always generate the same monthly costs.
• When an Azure virtual machine is stopped, you continue to pay
storage costs associated to the virtual machine.

Question 106
Your company plans to migrate all its data and resources to Azure.

The company's migration plan states that only platform as a service (PaaS)
solutions must be used in Azure.

You need to deploy an Azure environment that supports the planned

migration.

Solution: You create an Azure App Service and Azure Storage accounts.

Does this meet the goal?

Answers
• Yes.
• No.

Question 107
Your company plans to migrate all its data and resources to Azure.

The company's migration plan states that only platform as a service (PaaS)
solutions must be used in Azure.
 You need to deploy an Azure environment that supports the planned
migration.

Solution: You create an Azure App Service and Azure virtual machines that
have Microsoft SQL Server installed.

Does this meet the goal?

Answers
• Yes.
• No.

Question 108
Your company plans to migrate all its data and resources to Azure.

The company's migration plan states that only platform as a service (PaaS)
solutions must be used in Azure.

You need to deploy an Azure environment that supports the planned

migration.

Solution: You create an Azure App Service and Azure Storage accounts.

Does this meet the goal?

Answers
• Yes.
• No.

Question 109
Choose all that apply.

Answers
• To achieve a hybrid cloud model, a company must always migrate
from a private cloud model.
• A company can extend the capacity of its internal network by using
the public cloud.
• In a public cloud model, only guest users at your company can
access the resources in the cloud.

Question 110
Which cloud deployment solution is used for Azure virtual machines and
Azure SQL databases?

Choose all that apply.

Answers
• Azure virtual machines: Infrastructure as a service (IaaS).
• Azure virtual machines: Platform as a service (PaaS).
• Azure virtual machines: Software as a service (SaaS).
• Azure SQL databases: Infrastructure as a service (IaaS).
• Azure SQL databases: Platform as a service (PaaS).
• Azure SQL databases: Software as a service (SaaS).

Question 111
You plan to migrate several servers from an on-premises network to Azure.

You need to identify the primary benefit of using a public cloud service for
the servers.

What should you identify?

Answers
• The public cloud is owned by the public, NOT a private
corporation.
• The public cloud is a crowd-sourcing solution that provides
corporations with the ability to enhance the cloud.
• All public cloud resources can be freely accessed by every member
of the public.
• The public cloud is a shared entity whereby multiple corporations
each use a portion of the resources in the cloud.
 Question 112
You have 1,000 virtual machines hosted on the Hyper-V hosts in a data
center.

You plan to migrate all the virtual machines to an Azure pay-as-you-go

subscription.

You need to identify which expenditure model to use for the planned Azure
solution.

Which expenditure model should you identify?

Answers
• Operational.
• Elastic.
• Capital.
• Scalable.

References (click to expand)

Azure enterprise scaffold: Prescriptive subscription governance

Question 113
Match the Azure Cloud Services benefit to the correct description.

Choose all that apply.

Answers
• Disaster recovery: A cloud service that remains available after it
occurs.
• Disaster recovery: A cloud service that can be recovered after it
occurs.
• Disaster recovery: A cloud service that performs quickly when it
increases.
• Disaster recovery: A cloud service that can be accessed quickly to
the Internet.
• Fault tolerance: A cloud service that remains available after it
occurs.
• Fault tolerance: A cloud service that can be recovered after it
occurs.
• Fault tolerance: A cloud service that performs quickly when it
increases.
• Fault tolerance: A cloud service that can be accessed quickly to the
Internet.
• Low latency: A cloud service that remains available after it occurs.
• Low latency: A cloud service that can be recovered after it occurs.
• Low latency: A cloud service that performs quickly when it
increases.
• Low latency: A cloud service that can be accessed quickly to the
Internet.
• Dynamic scalability: A cloud service that remains available after it
occurs.
• Dynamic scalability: A cloud service that can be recovered after it
occurs.
• Dynamic scalability: A cloud service that performs quickly when it
increases.
• Dynamic scalability: A cloud service that can be accessed quickly
to the Internet.

References (click to expand)

Microsoft Azure - Fault Tolerance Pitfalls and Resolutions in the Cloud

What is cloud computing?

Question 114
Choose all that apply.

Answers
• Azure resources can only access other resources in the same
resource group.
• If you delete a resource group, all the resources in the resource
group will be deleted.
• A resource group can contain resources from multiple Azure
regions.

References (click to expand)

Azure Resource Manager overview

Effective ways to delete resources in a resource group on Azure

Question 115
Your company has an on-premises network that contains multiple servers.

The company plans to reduce the following administrative responsibilities of

network administrators:

* Backing up application data

* Replacing failed server hardware

* Managing physical server security

* Updating server operating systems

* Managing permissions to shared documents

The company plans to migrate several servers to Azure virtual machines.

You need to identify which administrative responsibilities will be reduced

after the planned migration.

Which two responsibilities should you identify? Each correct answer

presents a complete solution.

Answers
• Replacing failed server hardware.
• Backing up application data.
• Managing physical server security.
• Updating server operating systems.
• Managing permissions to shared documents.
 Question 116
You have an Azure environment that contains 10 web apps. To which U RL
should you connect to manage all the Azure resources?

Answers
• https://admin.azure.com
• https://admin.azurewebsites.com
• https://admin.microsoft.com
• https://portal.azure.com
• https://portal.azurewebsites.com
• https://portal.microsoft.com
• https://www.azure.com
• https://www.azurewebsites.com
• https://www.microsoft.com

Show correct answer

Question 117
You plan to extend your company?s network to Azure. The network contains
a VPN appliance that uses an IP address of 131.107.200.1.

You need to create an Azure resource that identifies the VPN appliance.

Which Azure resource should you create?

Answers
• Virtual networks
• Load balancers
• Virtual network gateways
• DNS zones
• Traffic Manager profiles
• Network Watcher
• Application network gateways
• CDN profiles
• ExpressRoute circuits

Question 118
Choose all that apply:

Answers
• If you have Azure resources deployed to every region, you can
implement availability zones in all regions.
• Only virtual machines that run Windows Server can be created in
availability zones.
• Availability zones are used to replicate data and applications to
multiple regions.
• None of the above

Question 119
Choose all that apply:

Answers
• Data that is copied to an Azure Storage account is maintained
automatically in at least three copies.
• All data that is copied to an Azure Storage account is backed up
automatically to another Azure data center.
• An Azure Storage account can contain up to 2 TB of data and up to
one million files.
• Choose all that apply:

Question 120
Several support engineers plan to manage Azure by using the computers
shown in the following table:

Computer 1 - Windows 10

Computer 2 - Ubuntu
 Computer 3 - MacOS Mojave

You need to identify which Azure management tools can be used from each
computer.

Choose three:

Answers
• Computer 1 - The Azure CLI and Azure portal
• Computer 1 - The Azure portal and Azure PowerShell
• Computer 1 - The Azure CLI and Azure PowerShell
• Computer 1 - The Azure CLI, the Azure portal and Azure
PowerShell
• Computer 2 - The Azure CLI and Azure portal
• Computer 2 - The Azure portal and Azure PowerShell
• Computer 2 - The Azure CLI and Azure PowerShell
• Computer 2 - The Azure CLI, the Azure portal and Azure
PowerShell
• Computer 3 - The Azure CLI and Azure portal
• Computer 3 - The Azure portal and Azure PowerShell
• Computer 3 - The Azure CLI and Azure PowerShell
• Computer 3 - The Azure CLI, the Azure portal and Azure
PowerShell

References (click to expand)

PowerShell now Open Source AND Cross-Platform! Linux, macOS, Windows

Question 121
You plan to deploy a critical line-of-business application to Azure.

The application will run on an Azure virtual machine.

You need to recommend a deployment solution for the application. The

solution must provide a guaranteed availability of 99.99 percent.
 What is the minimum number of virtual machines and the minimum number
of availability zones you should recommend for the deployment?

Answers
• Minimum number of virtual machines: 1
• Minimum number of virtual machines: 2
• Minimum number of virtual machines: 3
• Minimum number of availability zones: 1
• Minimum number of availability zones: 2
• Minimum number of availability zones: 3

References (click to expand)

What are Availability Zones in Azure?

Question 122
Choose all that apply:

Answers
• Azure Advisor provides recommendations on how to improve the
security of an Azure Active Directory (Azure AD) environment.
• Azure Advisor provides recommendations on how to reduce the
cost of running Azure virtual machines.
• Azure Advisor provides recommendations on how to configure the
network settings on Azure virtual machines.
• Choose all that apply:

Question 123
Choose all that apply:

Answers
• All the Azure resources deployed to a single resource group must
share the same Azure region.
• If you assign a tag to a resource group, all the Azure resources in
that resource group are assigned to the same tag.
• If you set permissions ti a resource group, all the Azure resources
in that resource group inherit the permissions.

Question 124
You plan to implement an Azure database solution.

You need to implement a database solution that meets the following

requirements:

Can add data concurrently from multiple regions

Can store JSON documents

Which database service should you deploy?

Answers
• Azure Cosmos DB.
• Azure Database for MySQL servers.
• SQL Servers.
• SQL data warehouse.
• Azure Database for PostgreSQL servers.

Explanation (click to expand)

Today's applications are required to be highly responsive and always online. To achieve low
latency and high availability, instances of these applications need to be deployed in
datacenters that are close to their users. Applications need to respond in real time to large
changes in usage at peak hours, store ever increasing volumes of data, and make this data
available to users in milliseconds.

Azure Cosmos DB is Microsoft's globally distributed, multi-model database service. With a

click of a button, Cosmos DB enables you to elastically and independently scale throughput
and storage across any number of Azure regions worldwide. You can elastically scale
throughput and storage, and take advantage of fast, single-digit-millisecond data access using
your favorite API including: SQL, MongoDB, Cassandra, Tables, or Gremlin. Cosmos DB
provides comprehensive service level agreements (SLAs) for throughput, latency,
availability, and consistency guarantees, something no other database service offers.
 References (click to expand)
Welcome to Azure Cosmos DB

Question 125
You need to view a list of planned maintenance events that can affect the
availability of an Azure subscription.

Which blade should you use from the Azure portal?

Answers
• Advisor
• Security Center
• Cost Management + Billing
• Help + support

Question 126
Choose all that apply:

Answers
• To achieve a hybrid cloud model, a company must always migrate
from a private cloud model.
• A company can extend the capacity of its internal network by using
the public cloud.
• In a public cloud model, only guest users at your company can
access the resources in the cloud.

Question 127
What is guaranteed in an Azure Service Level Agreement (SLA)?

Answers
• Uptime
• Feature availability
• Bandwidth
• Performance

References (click to expand)

SLA summary for Azure services

Question 128
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

An Azure service is available to all Azure customers when it is in ***

PUBLIC PREVIEW ***.

Instructions: Review the underlined text. If it makes the statement correct,

select "No change is needed". If the statement is incorrect, select the answer
choice that makes the statement correct.

Answers
• No change is needed.
• Private preview
• Development
• An Enterprise Agreement (EA) subscription

References (click to expand)

Supplemental Terms of Use for Microsoft Azure Previews

Question 129
This question requires that you evaluate the UPPER-CASED text surrounded
by *** to determine if it is correct.

You can create an Azure support request from support.microsoft.com.

 Instructions: Review the underlined text. If it makes the statement correct,
select "No change is needed." If the statement is incorrect, select the answer
choice that makes the statement correct.

Answers
• No change is needed.
• The Azure portal
• The Knowledge Center
• The Security & Compliance admin center

Explanation (click to expand)

Azure enables you to create and manage support requests, also known as support tickets. You
can create and manage requests in the Azure portal, which is covered in this article. You can
also create and manage requests programmatically, using the Azure support ticket REST API.

References (click to expand)

How to create an Azure support request

Question 130
Your company has 10 offices. You plan to generate several billing reports
from the Azure portal. Each report will contain the Azure resource
utilization of each office.

Which Azure Resource Manager feature should you use before you generate
the reports?

Answers
• Tags
• Templates
• Locks
• Policies